Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:40 AM
Connect Directly

Phishers Launch Zero-Day Exploits

Phishers are moving to the bleeding edge, and the new PhishTank will let companies observe their behavior

Look out. Phishing attacks are starting to use zero-day exploit code.

Two days after the Internet Explorer VML zero-day exploit code was released, phishers used it in their attacks, says Tod Beardsley, lead counter-fraud engineer at TippingPoint.

"That's unusual... Phishers don't usually take the bleeding-edge." But thanks to the increasingly popular WebAttacker hacker tool, which quickly added the VML bug to its repertoire once it was made public, attackers got the zero-day feature in their tool updates, he says.

Even so, most phishing attacks today are still the same old, same old: Poisoned links in fake emails and fake Websites, according to the latest phishing trends data gathered in the last year by TippingPoint from its own and other sources. Keystroke loggers delivered via email links or sometimes attached directly to a message, are still prevalent, too.

"The surprising part of this was how much more of the same it is," Beardsley says. "Fake email and fake Websites are still very effective."

And now there's a public clearinghouse for phishing emails and URLs: OpenDNS today launched its long-awaited PhishTank site, where users and Web developers can post and track phishes. (See DNS Gets Anti-Phishing Hook.) It's a neighborhood watch of sorts for phishing exploits.

"There's been no feedback loop for consumers," says David Ulevitch, president of OpenDNS, which is hosting PhishTank. "With PhishTank, you can be part of the process to clean up the Net."

"If you give your phish to one vendor, every other company loses out. PhishTank is totally open," Ulevitch says. That puts app developers on equal footing, too. "Now you don't have to pay Symantec, for example, to get access to phishing data to make your application more intelligent."

OpenDNS will release Outlook and Thunderbird email plug-ins soon as well, so a user's email package will automatically verify phishing emails based on PhishTank's database. OpenDNS is also making its free PhishTank API available to developers who want to interface to the site and its phishing data.

Meanwhile, phishers still prefer the easy way out, TippingPoint's Beardsley says, although tools like WebAttacker are putting more sophisticated features at their fingertips. "We expect to see good use of XSS in the near future for combining browser vulnerabilities in XSS using very popular Websites like YahooMail and MySpace, for instance."

Over 85 percent of phishing servers today are Apaches running PHP, according to TippingPoint's findings. "These are the preferred Web servers for phishers to compromise," he says. With PHP, "an attacker can upload his own custom content, which is ideal for phishing. And PHP module administrators haven't traditionally been quick on patches."

Most PHP machines belong to hobbyists, Beardsley says, and these tend to get "owned" the most by phishers.

"One person tricking another has existed for all time," OpenDNS's Ulevitch says. "You can't get rid of it altogether, but you can make it harder by raising the bar."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • TippingPoint Technologies Inc.
  • OpenDNS Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/10/2020
    Researcher Finds New Office Macro Attacks for MacOS
    Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
    Hacking It as a CISO: Advice for Security Leadership
    Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-08-13
    Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
    PUBLISHED: 2020-08-13
    Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
    PUBLISHED: 2020-08-13
    Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
    PUBLISHED: 2020-08-13
    Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
    PUBLISHED: 2020-08-13
    Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version may allow an authenticated user to potentially enable denial of service via local access.