NEWS FROM THE LAB - Wednesday, May 21, 2008

Phishing Piers on Legitimate Sites Posted by Sean @ 10:52 GMT

Let's say that you want to phish for PayPal accounts. One might attempt to register something such as paypol-sevice.com. But that's too obvious and is likely to be discovered and abused before the phishing even begins.

See this example, created one day and abused on the next:


Clearly that technique is now well guarded against. So instead of a clever misspelling, more obscure URLs such as paypalcom.cq.bz are required.

However, even obscure URLs can be taken offline quickly as they have no legitimate functions. Sending a message to the host providers with a request that the entire bogus site be taken offline does the trick.

So what next?

Instead of setting up their own sites, we're seeing more and more evidence of phishing from hacked sites; legitimate sites that are unknowingly hosting phishing. And then the site cannot simply be pulled offline without collateral damage to the legitimate business. So the website's administrator must be contacted to repair the damage.

Sites such as bbcsales.com, a 15 year old business with a long-standing Web presence.


PayPal phishing from their site was reported to PhishTank on May 6th:

BBCSales.com - May 6th

That phishing pier, located in the /administrator/ folder, was quickly taken offline.

But now BBCSales have been hacked again and a new pier configured from the /includes/ folder. Here's a PhishTank report from today, May 21st:

BBCSales.com - May 21st

Until the website's vulnerabilities are resolved, the phishers will just continue to hack-and-pier.

Once again the company, located in Canada, must be contacted to resolve the issue. And this is undoubtedly costly for the business while providing a new advantage to the phishers.

A quick scan through PhishTank's Recent Submissions yields many hacked piers.