Hack -n- Phish

June 2008

‘Hack-and-Pier’ Phishing on the Rise. Researchers have witnessed a growing trend in phishers hacking into legitimate Websites to host their phishing exploits, enabling them to keep their attacks alive longer. In a blog post Wednesday from F-Secure noted a series of so-called ‘hack-and-pier’ phishing exploits that had been reported to phishing clearinghouse PhishTank. “Instead of setting up their own sites, we’re seeing more and more evidence of phishing from hacked sites; legitimate sites that are unknowingly hosting phishing,” the blog said. “And then the site cannot simply be pulled offline without collateral damage to the legitimate business. So the Website’s administrator must be contacted to repair the damage.” According to MarkMonitor, only a small percentage of phishing sites today are created with purchased domain names or hosting. “A study we did in late 2007 showed that over 80 percent of phishing sites were hacked legitimate sites or free Webhosting sites,” says the director of anti-phishing for MarkMonitor. Traditionally, a phisher would register a bogus URL that looked a lot like the real thing, but was a letter or two off, such as “paypol” rather than “paypal,” or a more obscure URL that was less likely to get flagged. But those URLs can be easy to spot and shut down, so phishers have been moving to legit Websites as a way to extend the life of their exploits. An F-Secure representative said in an interview that his firm in the past has seen many examples of hacked legit sites for phishing and other cybercrime uses. “It is a growing trend,” he says. “Like any other technique, practice makes perfect.” As long as there are vulnerable Websites, hack-and-pier phishing isn’t going anywhere. “Until the Website’s vulnerabilities are resolved, the phishers will just continue to hack and pier,” he said.