Phishers Target Vulnerable Shared Hosting Providers to Spread Attacks

Phishers continued to target shared virtual servers as a means to propagate their attacks during the second half of 2013, according to the Anti-Phishing Working Group (APWG).

In the group’s latest report on global phishing trends, APWG researchers reported that 18 percent of all phishing attacks worldwide could be attributed to the activity.

“In this attack, a phisher breaks into a web server that hosts a large number of domains – a ‘shared virtual server,’” according to the report. “Then he uploads one copy of his phishing content and updates the web server configuration to add that content to every hostname served by that server. Then all web sites on that server display the phishing pages. Instead of hacking sites one at a time, the phisher often infects hundreds of web sites at a time, depending on the server.”

During the second half of last year, APWG identified 178 mass break-ins of this type, resulting in 20,911 phishing attacks around the world. Though there were more break-ins in the second half of 2013, they resulted in roughly the same number of attacks as in the first six months of the year.   

“Breaking into such hosting is a high-yield activity, and fits into a larger trend where criminals turn compromised servers at hosting facilities into weapons,” the report noted. “Hosting facilities contain large numbers of often powerful servers, and have large “pipes” through which large amounts of traffic can be sent. These setups offer significantly more computing power and bandwidth than scattered home PCs.”

There are a number of ways these attacks are taking place, explained Rod Rasmussen, president and chief technology officer of Internet Identity (IID).

“We’ve seen standard tools sold in criminal underground forums that allow you to set parameters to scan for vulnerable sites/servers,” he said. “Typically, there are either known plugin vulns [vulnerabilities] that can get you in and then other tools to raise privileges. Even more annoying is that many of these break-ins aren’t from vulns, but from sloppy admin work, where either default or weak passwords are put in place by the webserver manager or inexperienced site admins.”

“There are also services that gather up blocks of compromised servers and then sell them on underground forums, so you don’t have to crack boxes at all to get resources,” he noted. “Finally, we’re sure that people have built custom tools for themselves as well, but those don’t show up on the forums.”

In general, better operational security is what’s needed, but many casual users may not know how to do that – nor should they have to, he argued.

“The responsibility probably needs to come back to the hosting companies to do more monitoring, hardening, testing, etc,” he said. “It is pretty easy to detect brute-force logins against your entire client base [and] detect that all of a sudden Nigerian IPs are being used to manage websites on your servers when they never have been, or to scan for vulnerable apps/plugins on your own infrastructure. Many hosting companies do these things and they don’t end up with problems like being black listed for e-mail, customer support calls or [law enforcement agencies] knocking on the door to seize servers.”