Phishers Breaking Into Web Hosting Servers to Launch Mass Attacks

A report from the Anti-Phishing Working Group says cyber-attackers are breaking into Web servers and then using them to blast phishing pages across the Internet.

Cyber-attackers are focusing their efforts on Web hosting providers in order to use their facilities to launch mass phishing attacks, according to a new report from the Anti-Phishing Working Group (APWG).

According to the group's Global Phishing Survey for the second half of 2012, attacks leveraging these resources represented nearly half of all phishing attacks recorded around the world in the final six months of the year.

In the second half of 2011, “we identified 58,100 phishing attacks that used this mass break-in technique, representing 47 percent of all phishing attacks recorded worldwide," the report notes. "We started 2012 with no attacks of this nature, but beginning in February, these attacks started reappearing, peaking in August 2012 with over 14,000 such phishing attacks sitting on 61 different servers." Attack levels declined in late 2012, but still remained stubbornly high.

"Once the phisher breaks into such a server, he first uploads one copy of his phishing content," according to the report. "He then updates the Web server configuration to add that content to every hostname served by that Web server, so that all Websites on that server display the phishing pages via a custom subdirectory. So instead of hacking sites one at a time, the phisher can infect dozens, hundreds or even thousands of Websites at a time, depending on the server."

Using such tactics “is a high-yield activity, and fits into a larger trend where criminals turn compromised servers at hosting facilities into weapons," according to the APWG. "Hosting facilities contain large numbers of often powerful servers, and have large ‘pipes’ through which large amounts of traffic can be sent. These setups offer significantly more computing power and bandwidth than scattered home PCs."

These resources can be leveraged in a number of ways, including launching distributed denial-of-service (DDoS) attacks. In late 2012, cyber-criminals hacked into server farms to launch DDoS attacks against banks in the United States in what the attackers called "Operation Ababil."

In its latest data breach report for 2012, Verizon noted that the proportion of breaches using social-engineering tactics such as phishing was four times higher in 2012 than in 2011. According to Verizon, in 30 percent of the breaches involving enterprises, the victim of the phish was at the executive level, while 27 percent of the cases involved a victim at the managerial level. Among small and midsize businesses, 13 percent of the phishing attacks involved cashiers.

In 69 percent of the breaches, the attacked organization was not the one who discovered they had been victimized. Instead, it was a third party.

"We really have two concerns," said Jay Jacobs, senior analyst with Verizon's RISK Team. "It takes a long time to discover a breach—66 percent were a month or longer—and even then, organizations are not actively discovering breaches themselves,” Jacobs said.

“This may be caused by a focus on preventing a breach rather than detecting them, causing some organizations to not implement safeguards, such as log review or other detection mechanisms. Another possible cause may be the active detection processes are either not working or are misconfigured and/or under-staffed," he said.

"Either way, the only thing we do know for sure is that there are opportunities to improve on the internal detection of breaches," he said.