Web host victims repeatedly exploited by cybercriminals

More than one-third of respondents to an Anti-Phishing Working Group (APWG) survey were repeat victims of phishing attacks that resulted in a successful establishment of phishing or spoofing websites on their web server platforms.

Some 37 percent of respondents to the wide-ranging study of website vulnerabilities and administrative responses to exploitation reported that their websites had phishing or spoof sites planted on their web servers two or more times before, a telling statistic that reflects both the persistence of phishers and the difficulties of keeping them at bay.

“Phishers value compromised web sites highly because they are much harder for interveners to take down. They’re confident that they’ll be able to identify and exploit sites, and do so repeatedly. Victims are not mitigating exploits entirely or are not implementing adequate measures to keep them away,” said APWG Research Fellow Dave Piscitello of ICANN.

“Keeping all components of a web site – OS, web server, applications, and content – patch current and applying the most secure configuration options possible could significantly reduce initial and repeat attacks,” concluded Piscitello.

The APWG’s Internet Policy Committee began an online survey for managers of websites that had been exploited in phishing attacks and other malevolent enterprise nearly 18 months ago. Some 270 completed surveys are included in this first tally and analysis.

The APWG IPC organized this study to understand the web site operating environments that are abused by cybercrime gangs, the nature of the attacks, and actions the victim took in response, to obtain a clearer understanding of attacker methodologies and target preferences.

While the survey results clearly indicate that web sites could benefit from broader implementation of preventative measures to mitigate known vulnerabilities, they also reveal that organizations are not adequately monitoring for anomalous behavior or suspicious traffic patterns that may indicate previously unseen, so-called zero day attacks.

While only one in five victims reported that the attacks were discovered by their own staff, fifty-two percent of respondents were informed of the attack by third-party security companies. Victims indicated that their web hosting service (18%) or the company that was phished (18%) were as likely to notify victims as the organization’s staff.

“You can’t publish active content in Internet time and verify that your protective measures against attacks remain effective. Vulnerability testing, if done at all, is done too infrequently,” lamented Piscitello.

“That nearly 80% of incidents are being detected by third parties tells us that too few organizations take real time monitoring or examination of logs for suspicious activities seriously,” concluded Piscitello.

The full report is available here.

Don't miss