Feeds

Cybercrooks lurk in shadows of big-name websites

Phishermen redirect via Google Maps, AOL et al

Securing Web Applications Made Simple and Scalable

A small team of security researchers has documented how many high-profile websites are unwittingly helping phishing fraudsters.

Phishing scams often use "open redirector" exploits on major sites to make their attack URL look more legitimate. The trick also makes it more likely that fraudulent emails that form the basis of phishing attacks will slip past spam filters. Typically, security flaws on exploited high-profile sites allow a phisher to provide a link which appears to be a legitimate URL, but actually redirects to a fraudulent site.

Previous Register stories have covered examples of the ruse practiced on websites including Barclays Bank (story here), eBay (here), and others.

To date, most of the information about the topic has been anecdotal. SiteTruth aims to shed light on the scope of the problem by collecting hard numbers as part a project that ultimately aims to provide a search engine that will allow clued-up surfers to check on the legitimacy of sites. SiteTruth's search service isn't limited to sites that have paid a fee. Nor is it selling "seals of approval".

Its findings are partly based on existing business records, as well as links with other anti-phishing organisations (such as PhishTank, a clearing house for reports about phishing sites), and its own research. It also takes submissions from webmasters, as explained here.

Even so, the site admits its findings aren't infallible and ought to serve only as a guideline. The safe search feature is currently in Alpha testing.

SiteTruth's research, based on the collection of information about exploited websites and updated every three hours, also reports on insecure practices that serve the interest of cybercrooks. SiteTruth breaks down the vulnerabilities it finds into five categories, as follows:

  • Open redirectors
  • Sites that allow user hosted content in ways exploitable for phishing (i.e. "photobucket.com", which will accept uploads of Flash files)
  • ISPs that provide DSL or cable connections for phishing sites
  • Unscrupulous commercial hosting services
  • Compromised sites exploited by phishers (Universities with high bandwidth connections and lax security are a favourite in this category)

Some of the items on the list cover broadly similar ground to that documented by Spamhaus and others. However, the open redirector run-down compiled by SiteTruth is a distinct list that makes for interesting reading.

SiteTruth has cross referenced the 10,000 sites listed in PhishTank with the 1.7 million sites in the Open Directory Project database to discover a list of 171 problem domains. Domains listed typically have a security vulnerability which is being exploited by phishing fraudsters.

URL redirection isn't the only category for listing in this blacklist (hosting or otherwise unwittingly helping phishing scams also counts). But the sites allowing URL redirection include many high-profile organisations that ought to know better, including Google Maps. It's easy to bounce off Google Maps to reach the register, for example.

AOL, Microsoft Live, the BBC, Yahoo!, and UK bank Alliance and Leicester have also been greylisted by SiteTruth over the last three weeks.

"Phishing sites come and go rapidly; this list may be out of date within hours," SiteTruth's John Nagle told El Reg. "Some sites are still in PhishTank because they had an active phish in the recent past and PhishTank hasn't purged the entries yet. But some major sites have been on the list for weeks to months.

"So some major websites are being used to lend credibility to phishing attacks. But the number of major sites involved isn't large. It's no longer an acceptable excuse to claim that 'everybody has that problem'. Only some have it, and they need to fix it." ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.