Google used to help locate vulnerable hosts for Phishing attacks
by Steve Ragan - Mar 2 2009, 17:00Tyler Moore and Richard Clayton, researchers from Harvard and Cambridge respectively, recently published a paper on how criminals are using search engines to discover servers vulnerable to attack. Once the searches locate vulnerable systems, they are cracked and used for Phishing and other malicious schemes.
The idea that attackers would use search engines to locate ways to compromise a Web site isn’t new. The uniqueness in the research presented by Moore and Clayton is the tracking of the metrics. “While the techniques used to compromise websites are widely discussed and categorized, analysis of the methods used by attackers to identify targets has remained anecdotal,” the two wrote.
The report looks at 2,486 Web sites that were malicious in nature, either hosting Malware or Phishing scams. The report explains that criminals use search strings to locate vulnerable Web applications, malicious hosted applications, or existing compromises. Depending on the string used, the attacker can map their own plan of attack. The evidence of malicious searching is in the ‘Referrer’ header in the HTTP request. The Referrer is located in the server logs, and will reference what search engine sent the traffic and what search terms were used.
The following is an example from the report.
“On 30 November 2007, a phishing page was reported on the http://chat2me247.com website with the path /stat/q-mono/pro/www.lloydstsb.co.uk/lloyds_tsb/logon.ibc.html. We began collecting daily reports of chat2me247.com’s Webalizer logs. Initially, no evil search terms were recorded, but two days later, the website received a visit triggered by the search string ‘phpizabi v0.415b r3’.”
“Less than 48 hours after that, another phishing page was reported, with the quite different location of /seasalter/www.usbank.com/online_banking/index.html. Given the short period between search and re-compromise, it is very likely that the second compromise was triggered by the search. Also, the use of a completely different part of the directory tree suggests that the second attacker was unaware of the first.”
Of the 2,486 sites that were examined, the research shows that 18 percent of the compromised servers could link the security failure to malicious searches. The data also shows that once a vulnerable server is discovered, it is often compromised more than once.
There is a 19 percent chance for a server to face being compromised a second time within twenty-four weeks after the first attack. However, when sites were compromised more than once and had evidence of malicious searching in their logs, the chance of a second breach within twenty-four weeks jumped to 48 percent.
The full paper, with great examples and plenty of detail, is online. You can find it here.
Comment on this Story