White Hat Hacker

"There is no security in this life, only opportunity" -- Gen Douglas MacArthur 
« Back to blog
Viewed 304 times
Favorited 0 times
March 2, 2009

Tyler Moore & Richard Clayton - Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing

From the 13th International Conference on Financial Cyptography and Data Security, Barbados, 2009
 
Conference website is http://fc09.ifca.ai/
 
http://www.cl.cam.ac.uk/~rnc1/fc09evil.pdf
 
Abstract. Attackers compromise web servers in order to host fraudulent content, such as malware and phishing websites. While the techniques used to compromise websites are widely discussed and categorized, analysis of the methods used by attackers to identify targets has remained anecdotal. In this paper, we study the use of search engines to locate potentially vulnerable hosts. We present empirical evidence from the logs of websites used for phishing to demonstrate attackers’ widespread use of search terms which seek out susceptible web servers. We establish that at least 18% of website compromises are triggered by these searches. Many websites are repeatedly compromised whenever the root cause of the vulnerability is not addressed. We find that 19% of phishing websites are recompromised within six months, and the rate of recompromise is much higher if they have been identified through web search. By contrast, other public sources of information about phishing websites are not currently raising recompromise rates; we find that phishing websites placed onto a public blacklist are recompromised no more frequently than websites only known within closed communities.
 
Highlights from author's blog at http://www.lightbluetouchpaper.org/2009/02/25/evil-searching/
 
We found that some of these searches were “evil” in that they were looking for specific versions of software that contained security vulnerabilities (”If you’re running version 1.024 then I can break in”); or they were looking for existing phishing websites (”if you can break in, then so can I”); or they were seeking thePHP “shells” that phishing attackers often install to help them upload files onto the website (”if you haven’t password protected your shell, then I can upload files as well”).
 
We have firmly established that “evil searching” is an important way of locating machines to compromise.

Comments (0)

Leave a comment...

 
Got an account with one of these? Login here, or just enter your comment below.
Posterous-login    Connect    twitter