Glad to be able to announce this – MarkMonitor has acquired CollectiveTrust. I’ve joined the MarkMonitor team and am looking forward to pushing our ScamAlarm client-side anti-phishing technology to the next level. That’s all for now.
Wikipedia defines a parasite as “an organism that spends a significant portion of its life in… a host organism… without immediately killing it.”
Phishers host their web sites using a number of methods (free hosting, shared hosting with stolen credit card, hacked servers, etc) but a common and growing method occurs when phishers take advantage of insecure web applications that allow them to upload their phishing site to run as a part of another site. In this mode, a phishing site acts as a parasite to an existing host.
Here’s the flow:
- Phisher learns about a vulnerability to a downloadable web application (this means a web app you can run on your own server). For example, older versions of Simple PHP Blog (insecure versions are still available on SourceForge) have an image file upload vulnerability. This allows remote users to upload arbitrary files to the hosting server.
- Phisher searches for sites running the version of the vulnerable application. Many web apps have keyword strings that make it easy to find hosts running that version. I’m won’t go into details, but think “powered by…”.
- Phisher finds targets, exploits the vulnerability, and uploads their own code to the server. The phishing site is then accessible to the outside world without raising any flags on the compromised host. The web application will generally continue to function normally.
- Wash, rinse, repeat.
Why would a phisher want to run their site as a parasite to another host instead of as a standalone? At least three reason:
- Cheap – no fake credit card data is needed, and no goofy ads forced on their sites by free web hosts.
- Harder to Detect – some anti-phishing tools (not ScamAlarm) look at how long a given domain has existed as a clue to its phishiness. Running as a parasite can make your phishing site look old and legitimate (and sometimes even popular). The phisher can also avoid displaying an IP address as its host name.
- Harder to Block – Blocklist providers have to block at the URL or partial URL level, not at the host level. You don’t want to kill the host when you’re trying to kill the parasite.
I don’t mean to pick on Simple PHP Blog. Any number of other applications (blogs and photo galleries especially) are similarly vulnerable. The SPB author quickly patched the vulnerability once it was discovered. The problem is that many people downloaded and installed the older version and have never updated it.
Technorati Tags: phishing
Sunbelt BLOG describes a virus that modifies the host file on victim machines to facilitate phishing attacks. By modifying the host file, the virus ensures that users attempting to visit sites like PayPal, Wachovia, BankOne, LloydsTSB and others are directed to a phishing server at IP address 220.127.116.11.
This kind of attack represents a departure from the typical one-off phish-by-email attacks that we normally see. Not only is it a passive attack (the phisher has to wait for you to attempt to visit one of its targets), but it also requires a much smarter web site to host the attack. When a user connects to phishing site, code on the server (PHP in this case) must look at the “host” header to determine where the user intends to go (remember, all the target financial sites are hosted on the same site). Depending on the header information, the site does an internal redirect to the appropriate sub-site.
An intelligent post from Microsoft’s Peter Torr on the decision to send URLs instead of hashes to the phishing filter. I appreciate his discussion of the threats and mitigations balanced against the costs and benefits of each approach.