Dark Reading

Researchers have witnessed a growing trend in phishers hacking into legitimate Websites to host their phishing exploits, enabling them to keep their attacks alive longer.

In a blog post today, F-Secure’s Sean Sullivan noted a series of so-called ‘hack-and-pier’ phishing exploits that had been reported to phishing clearinghouse PhishTank.

“Instead of setting up their own sites, we're seeing more and more evidence of phishing from hacked sites; legitimate sites that are unknowingly hosting phishing,” Sullivan blogged. “And then the site cannot simply be pulled offline without collateral damage to the legitimate business. So the Website's administrator must be contacted to repair the damage.”

Phishers increasingly have been using legitimate sites to host their attacks. According to MarkMonitor, only a small percentage of phishing sites today are created with purchased domain names or hosting. “A study we did in late 2007 showed that over 80 percent of phishing sites were hacked legitimate sites or free Webhosting sites,” says John LaCour, director of anti-phishing for MarkMonitor. (See Phishers Enlist Google 'Dorks'.)

Traditionally, a phisher would register a bogus URL that looked a lot like the real thing, but was a letter or two off, such as “paypol” rather than “paypal,” or a more obscure URL that was less likely to get flagged. But those URLs can be easy to spot and shut down, so phishers have been moving to legit Websites as a way to extend the life of their exploits.

F-Secure’s Sullivan pointed to two recent hack-and-pier attacks that were reported to PhishTank, one on PayPal’s Website, and another on BBC Sales & Service Ltd. PayPal had a phishing pier hidden in its /administrator/ folder, and BBCSales had one in its /includes/ folder.

The big problem, of course, is that most Websites carry vulnerabilities, and phishers are quick to exploit them. “There is a virtually unlimited number of vulnerable Websites on the Internet,” says MarkMonitor’s LaCour. And they’re susceptible to password cracking, remote file inclusion attacks, and malicious file uploads, he says.

David Ulevitch, founder of PhishTank and OpenDNS, says hack-and-pier phishing is really nothing new. “It's always been much easier for a phisher to compromise a site and put up a phishing page rather than try to use a fraudulent credit card and register a domain and go through all the hassle,” he says.

F-Secure's Sullivan said in an interview that his firm in the past has seen many examples of hacked legit sites for phishing and other cybercrime uses. "It is a growing trend," he says. "Like any other technique, practice makes perfect."

Meanwhile, as long as there are vulnerable Websites, hack-and-pier phishing isn’t going anywhere. “Until the Website’s vulnerabilities are resolved, the phishers will just continue to hack and pier,” F-Secure’s Sullivan wrote.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.