NEWS FROM THE LAB - Monday, March 2, 2009

Phishing Sites are Compromised and Re-compromised Posted by Sean @ 14:56 GMT

Tyler Moore of Harvard and Richard Clayton of Cambridge have studied the usage of search engines in the compromise of Web servers in order to host fraudulent content, e.g. phishing sites.

     "Although the use of evil searches has been known about anecdotally,
     this is the first paper to show how prevalent the technique has become,
     and to report upon the substantial rates of recompromise that currently occur."

Anecdotal evidence of multiple attacks?

Our May 21st, 2008 post is one such example. We've seen compromised sites becoming re-compromised for quite some time now.

Moore and Clayton's paper offers some fascinating analytics on the topic. They've found that compromised machines accounted for 75.8% of all the attacks analyzed. And 20% of the sites that were compromised were successfully attacked again within six months.

The paper is called Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing.

You'll find a download link from Richard Clayton's post on Light Blue Touchpaper.