Archive for April, 2010

Phishing exploitation of major sites

Tuesday, April 13th, 2010

SiteTruth distributes a list of major domains being exploited by active phishing scams. [] This is generated by processing PhishTank data, which we do automatically every 3 hours. The SiteTruth system is looking for the identity of the business behind the web site, and forged business identification is a problem.  So we use phishing reports to find forgeries, and take a hard line – one phishing report down-rates the entire domain.  At any given time, there are about 30 to 80 domains on the list.  Rather than being secretive about this, we publish the list, and try to help legitimate site operators to get off it. We do this because we want to reduce the collateral damage from our tough blacklist system.

Some sites get themselves off the list quickly. By now, most of the better free hosting services and short-URL services are automatically checking PhishTank and the APWG blacklist to see when they’ve been hit. Today, if you run a service where anybody can put up a page that could be used for phishing (i.e. it’s not full of your own headers and banners), you need automation to deal with attacks. As an example, “” has  been hit by a flood of phishing attacks, with several hundred new reports in PhishTank per day. The attacks were coming in faster than the abuse staff could clean them out. They’re now gaining on the problem, but haven’t squashed it yet. Take-away lesson: automate your response to such attacks.

The domains near the top of the list have been there for a while. Note the dates, which are the date that the oldest phishing report still online and active appeared in PhishTank. Some just need help. Typically, these are small businesses, churches, and nonprofits that have had a break-in and were partially taken over by a phishing site. Often, they lack an information technology staff, let alone abuse and security departments. We send them the Anti-Phishing Working Group’s “What To Do if your Site Has Been Hacked”. [] Sometimes we give them a phone call. They deserve sympathy and help.

Then there are the hard cases. These are sites with no visible contact address, or a clueless abuse department. At the moment, Google Sites and Google Spreadsheets are being used for phishing. Google is new to the free hosting business, and the phishers have discovered some tricks that Google can’t yet handle. While Google puts a “report abuse” link on their site pages, it’s possible to set up a file for downloading on Google Sites, and an HTML page can be served that way [], without Google’s abuse checking. There’s also an exploit of Google Spreadsheets []. That one is an example of Habbo Hotel phishing. [] We’ve reported these to Google several times, but they haven’t been fixed yet.

We’ve been seeing a new type of attack recently – a phishing operation breaks into a shared hosting server and plants phishing pages on multiple domains on a single server. One of these hit one of the mysterious “*” servers, which has “cloaked domain registration” and no useful default web page. These seem to be associated with “”, but whether ThePlanet operates them, is providing wholesale hosting, is providing colocation, or is just the upstream connectivity provider is not clear.

Hiding the contact information of a hosting provider is legally unwise. The hosting provider may lose the “safe harbor” protection of the the DMCA. [] The “safe harbor” provision for “Information Residing on Systems or Networks At Direction of Users” only applies if “the service provider has designated an agent to receive notifications of claimed infringement… by making available through its service, including on its website in a location accessible to the public, and by providing to the Copyright Office, substantially the following information: the name, address, phone number, and electronic mail address of the agent.” So when the RIAA or the MPAA come calling, a likely event for a hosting service, they get to go after the hosting provider.

So that’s vulnerability reporting in phishing land.  Our experience is that occasional nagging will keep that list down in the 25 to 50 domain range. If we stop nagging, it creeps up to around 100. When we first started, there were about 175 domains on the list. Reporting vulnerabilities does measurably help.

SiteTruth technology now patented

Tuesday, April 6th, 2010

The technology behind SiteTruth is  covered by U.S. Patent #7,693,833, issued today, and another pending patent.