Most owners of legitimate sites that have been compromised to support phishing attacks have no idea their site has been violated until some third party tells them, according to a recent survey.
But the cluelessness doesn’t end there. Nearly half of owners of compromised sites don’t know how the attack happened and most aren’t deploying well-known patches and other countermeasures. In the case of so-called chronic victims, those that have been attacked multiple times, two-thirds can’t say how many times their site has been compromised.
Yet online criminals are not letting up in their efforts to exploit legitimate sites to support phishing attacks, say officials with the Anti-Phishing Working Group, which conducted the survey. “Phishers continue to target legitimate Web sites because they are much harder for interveners to take down,” said Dave Piscitello, a research fellow at APWG and author of a report on the survey, in a statement. “Victims are not taking measures to secure their sites from attack, and they remain lax in monitoring against and mitigating attacks.”
In phishing attacks, criminals use e-mail blasts to gull unsuspecting recipients to visit Web sites where malware can be downloaded to harvest sensitive information, such as passwords, account numbers, and PINs, from victims’ computers. While these sites can be bogus, many phishers rely on phishing kits, e-mailing programs, or other code they’ve planted on legitimate sites.
The APWG survey, which canvassed managers of sites that had been targeted by phishers, compared two periods of time, late 2009 to March 2011 and March 2011 until July of this year. The survey found that in most cases, site officials were notified of the violation either by their Web hosting company or by victims of the phishing attack launched from the site. The number of self-identified exploits fell from the first period to the second, from just over 20% to just over 10%.
Site owners’ state of ignorance about compromises disturbs APWG officials. “We are concerned that hosting providers and site owners are becoming more complacent and vulnerable, and we urge administrators to be more proactive,” said Rod Rasmussen, co-chair of the APWG’s Internet Policy Committee, in a statement.
In both periods studied, more than 80% of managers responded by removing the pages installed by the phishers. Other steps reported included changing passwords for Web programs and for access to the Web server. In a minority of cases, either the manager or the hosting company shut down the site entirely.
But the time taken to remove phishing pages varied considerably, according to the survey. For both time periods, 40% of victims reported removing pages within a day, with the remainder taking anywhere from two to more than 14 days to expunge the offending pages. In a sizable number of cases–more than 25%– respondents said they simply didn’t know how long it took.
At the same time, fully two thirds of respondents with sites that had been violated by phishers more than once had no idea how many times their site had been compromised. And almost half of respondents in the later sample could not say how phishers had accessed their site.
Indeed, the frequency with which respondents couldn’t answer survey questions also concerns the APWG. “Take the frequency of ‘I don’t know’ responses…and factor in that the majority of attacks are reported by external parties,” said Greg Aaron, co-chair of the IPC. “Too little time or talent is invested to monitor and analyze Web traffic and visitor behavior.”
The APWG survey is still open and taking responses from managers of sites that have been compromised to support phishing attacks. The group expects to publish a full report on the results later this year.