September 29, 2005Collateral Damage from Phishing
The majority of phishing sites that I see have been inserted into existing Web servers in various places around the world. Somewhere along the line the server was compromised in such a way that the phisher can create a separate directory that holds the files that both display the lookalike pages (PayPal, eBay, Wells Fargo, et al.) to unsuspecting victims and process the username/password or other form entries to rob victims of their identities. My assumption is that most of these servers had some easily cracked or default passwords set up for them, which crackers must certainly cycle through regularly on any and all servers—in search of crackable Web (and other) servers. I see those attempts from time to time in my servers logs.
Hijack-style phishing sites come in all shapes and sizes (even though many of them use the same HTML and form-handling code obtained in phishing "kits"), but let me describe four types I continually encounter.
The first type is the default Web server placeholder set up by ISPs in anticipation of handing the server to a new customer. Phishing message URLs to this type of hijacked server are always numeric IP addresses because no domain name has yet been assigned to the IP. There must be tons of these otherwise inactive "sites" sitting on the Internet at any given moment (including inside organizations, such as universities), and if the default passwords haven't been changed, or their old Apache (usually) server software hasn't been updated, they're ripe for the picking. They remind me of the alien beings in the recent "War of the Worlds" movie, who planted "seeds" deep inside the Earth eons ago, waiting to be brought to life at a later time to eat everything within reach.
The second type is a Web site that is no longer actively maintained, but the original owner must have prepaid for a few years of domain registration and Web site hosting. No one is really at home for this type of site because the owner has moved on to some other venture, or got a real job. The last copyright notice update was two or more years ago, and it's not likely that any contact email address still works. And, unfortunately, the site was set up without much thought to security. Once compromised, the site's server is played like an accordion on The Lawrence Welk Show.
The third type is the small ISP whose own site or IP space has been intruded upon by a phisher. When I submit my standard phishing report to them, they assume a position of such denial that they refuse to believe such a thing could happen. My report includes a complete copy of the phishing message as well as a highlighted link to the URL within their IP space that contains the fraudulent material. The message header makes it clear that the message did not originate from the same source, but the active link clearly leads to their location. One ISP wrote back to ask me how I could have ever reached that "secret" URL. Duh!
The fourth type is all too common, and can lead to some ugly consequences. The hijacked site is your run-of-the-mill Web site for a small business, a non-profit group, or an educational organization. Having compromised the site's server, a phisher installs the fraudulent material on the site in a subdirectory. Sometimes the phisher even creates a separate user account just for him/herself and places the material in directories belonging to that account.
By and large, the managers of these types of sites are not techies. They probably had a lot of handholding to get the site going in the first place. The consultant or network administrator who got them started (and showed them how to update pages with FrontPage) is either long off the contract, or has gone away to college. The last thing these folks know how to do is to investigate security issues in their servers. Even if they know something about File Transfer Protocol (FTP) to move files to the Web server, they probably don't know how FTP programs typically don't display directories and files whose names start with a period. Even the unmodified Unix
ls command to list a directory's contents won't show such items. A great many phishers, of course, install their stuff inside directories whose names start with a period to evade simple detection by site owners.
Things can go haywire if reports of a hijacked site's phishing page reach the Web hosting service for the site. A lot of ISPs act first to disable the entire site, and (perhaps) ask questions later. At this point, not only is the phishing page taken down (that's a Good Thing), but the entire organization's Web presence—and perhaps even their email service—is disconnected. If a big chunk of the company's business is Web-derived, that's more than a little inconvenient (and lawyers probably get involved).
To minimize this kind of collateral damage, I try to contact the hijacked site's owner, rather than the ISP, whenever possible. If the site's home page has a contact email address, I'll send my report only to that address. If there is no contact info on the site, and if I can determine the domain name of the site (some phish links to hijacked sites link to the numeric IP address, and the domain is not obvious unless something else in the site mentions it by name), I'll trace the domain registration record and hope that the contact information there is still accurate. Some records list an "administrative contact" and "technical contact." If the information for these two contacts is different, the former may be a non-techie at the company, and the latter could be the Web hosting service.
I never know if the administrative contact is technically equipped to locate and remove the phishing pages, so I tend to include the technical contact in my email report if the tech contact information doesn't look like an ISP. There is, of course, no guarantee that I don't tip off an ISP, but I try to let the domain holder handle it if possible.
It doesn't always work that way, however. Recently I sent a report to a hijacked site's owner. I could tell from the initial response that the site's owner was not technically equipped to look for and delete a hidden directory on his Web server and know how to secure the server against further attacks. I suggested he get some help from his Web hosting service. But it was too late. Apparently, another reporter had sent a complaint to the site's ISP. The ISP had cut off the compromised site entirely, and email sent to the domain was rejected. This fellow was, for now anyway, screwed.
A few days later I heard again from the site's owner, telling me that everything was back to normal. I'm sure it was a harrowing time for this fella—first to have his site violated by a criminal, and then to get cut off by his ISP as if he were a criminal. Perhaps a change to the server's password scheme will minimize the likelihood of a future hijacking, which means that the experience may have a long-term good outcome for this gentleman and his Web presence.
It just goes to show you that phishing can have even more victims than those who fall for the phony messages and forms.Posted on September 29, 2005 at 03:24 PM