Abstract
Attackers compromise web servers in order to host fraudulent content, such as malware and phishing websites. While the techniques used to compromise websites are widely discussed and categorized, analysis of the methods used by attackers to identify targets has remained anecdotal. In this paper, we study the use of search engines to locate potentially vulnerable hosts. We present empirical evidence from the logs of websites used for phishing to demonstrate attackers’ widespread use of search terms which seek out susceptible web servers. We establish that at least 18% of website compromises are triggered by these searches. Many websites are repeatedly compromised whenever the root cause of the vulnerability is not addressed. We find that 19% of phishing websites are recompromised within six months, and the rate of recompromise is much higher if they have been identified through web search. By contrast, other public sources of information about phishing websites are not currently raising recompromise rates; we find that phishing websites placed onto a public blacklist are recompromised no more frequently than websites only known within closed communities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security economics and the internal market. European Network and Information Security Agency (ENISA) (2008), http://enisa.europa.eu/doc/pdf/report_sec_econ_&_int_mark_20080131.pdf
Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)
Anti-Phishing Working Group, http://www.apwg.org/
Artists Against 419, http://www.aa419.org/
Collins, M.P., Shimeall, T.J., Faber, S., Janies, J., Weaver, R., De Shon, M., Kadane, J.: Using uncleanliness to predict future botnet addresses. In: Proceedings of the ACM SIGCOMM Conference on Internet Measurement (IMC), pp. 93–104. ACM Press, New York (2007)
Cult of the Dead Cow. Goolag Scanner Specifications (January 2008), http://goolag.org/specifications.html
Damron, J.: Identifiable fingerprints in network applications. USENIX ;login 28(6), 16–20 (2003)
Dausin, M.: PHP File Include Attacks. Tip** Point (February 2008), http://dvlabs.tip**point.com/blog/2008/02
Day, O., Palmen, B., Greenstadt, R.: Reinterpreting the disclosure debate for web infections. In: 7th Workshop on the Economics of Information Security (WEIS) (2008)
Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of Internet miscreants. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 375–388 (2007)
Google Hacking Database, http://johnny.ihackstuff.com/ghdb.php
Google Safe Browsing API, http://code.google.com/apis/safebrowsing/
Higgins, K.J.: Phishers Enlist Google ‘Dorks’. DarkReading (March 2008), http://www.darkreading.com/document.asp?doc_id=149324
LaCour, J.: Personal communication, March 28 (2008)
Lancor, L., Workman, R.: Using Google hacking to enhance defense strategies. In: Proceedings of the 38th SIGCSE Technical Symposium on Computer Science Education, pp. 491–495 (2007)
Long, J.: Google Hacking Mini-Guide. informIT (May 2004), http://www.informit.com/articles/article.aspx?p=170880
Mavrommatis, P.: Malware Reviews via Webmaster Tools (August 2007), http://googlewebmastercentral.blogspot.com/2007/08/ malware-reviews-via-webmaster-tools.html
McAfee Inc. SiteAdvisor, http://www.siteadvisor.com
Moore, T., Clayton, R.: Examining the impact of website take-down on phishing. In: Anti-Phishing Working Group eCrime Researcher’s Summit (APWG eCrime), pp. 1–13. ACM Press, New York (2007)
Netcraft Inc. March 2008 Web Server Survey (2008), http://news.netcraft.com/archives/web_server_survey.html
PhishTank, http://www.phishtank.com/
Provos, N., Mavrommatis, P., Rajab, M., Monrose, F.: All your iFrames point to us. In: 17th USENIX Security Symposium, pp. 1–15 (2008)
Stop Badware, http://www.stopbadware.org/
The Webalizer, http://www.mrunix.net/webalizer/
Thomas, R., Martin, J.: The underground economy: priceless. USENIX ;login 31(6), 7–16 (2006)
Watson, D., Holz, T., Mueller, S.: Know your Enemy: Phishing. The Honeynet Project & Research Alliance (May 2005), http://www.honeynet.org/papers/phishing/
Weaver, R., Collins, M.P.: Fishing for phishes: applying capture-recapture methods to estimate phishing populations. In: Anti-Phishing Working Group eCrime Researcher’s Summit (APWG eCrime), pp. 14–25. ACM Press, New York (2007)
Yahoo! Inc. Yahoo! Search Web Services, http://developer.yahoo.com/search/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Moore, T., Clayton, R. (2009). Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing. In: Dingledine, R., Golle, P. (eds) Financial Cryptography and Data Security. FC 2009. Lecture Notes in Computer Science, vol 5628. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03549-4_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-03549-4_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03548-7
Online ISBN: 978-3-642-03549-4
eBook Packages: Computer ScienceComputer Science (R0)