Attackers confidently exploit legitimate websites with the same methods and that they succeed because victims are not implementing recommended best practices, countermeasures and responses, according to the APWG.

“Phishers continue to target legitimate websites because they are much harder for interveners to take down. They remain confident that they’ll be able to identify and exploit sites, and for good reason. Victims are not taking measures to secure their sites from attack, and they remain lax in monitoring against and mitigating attacks,” said APWG Research Fellow Dave Piscitello of ICANN.

From August 2009 through July 2012, the APWG’s Internet Policy Committee (IPC) surveyed managers of websites of websites that had been compromised and subsequently used to host phishing pages. The report compares two sampling periods to study change in attacker methodology, victim hosting environments, and incident response by victims or their hosting providers.

The survey results indicate that LAMP - Linux, Apache, MySQL, PHP - remains the most frequently targeted hosting environment. However, closer examination of the responses reveals that attackers most frequently leave PHP shell code (i.e., a backdoor written in the PHP scripting language), phishing kits (web pages or scripts that are used to execute the phishing attack itself), or a mechanism to send email to animate a phishing attack.

“The high frequency of PHP exploits underscores our previous recommendations: you must keep all components of your website - OS, web server, applications, and especially active content - patch current and configured securely,” concluded Mr. Piscitello.

The majority of victims continue to report that they were unaware that their website had been compromised until an external party notified them. “More than 80 percent of incidents are being detected by third parties, and that percentage increased over the past year,” reports APWG IPC Co-Chair Rod Rasmussen of Internet Identity. “We are concerned that hosting providers and site owners are becoming more complacent and vulnerable, and we urge administrators to be more proactive.”

Take down time for phishing pages remains unchanged. Victims report that forty percent of phishing pages are taken down within a day and nearly sixty percent within 2-3 days, but nearly one in four victims could not say with accuracy when pages were removed. The report examines this and other disturbingly high incidences where victims reported they had insufficient data to answer survey questions.

“Take the frequency of ‘I don’t know’ responses in the survey and factor in that the majority of attacks are reported by external parties,” said IPC Co-Chair Greg Aaron of Illumintel, Inc. “Too little time or talent is invested to monitor and analyze web traffic and visitor behavior.”