Efficiency Prevails in Phishing Attacks
Monday, June 27, 2016 @ 10:06 AM gHale
In the manufacturing automation world, it is all about productivity and efficiency, and the same is true when it comes to cyber bad guys.
Along those lines, there is now a new type of phishing attack that avoids suspicion and makes operations more efficient.
In addition, the bad guys know two areas to go to for a successful attack: Straight to the top, the executive and the mass market. The catch is for the mass market, the attacks will pay off if they are run in an efficient manner.
Bad guys need to regularly change the domains that host their phishing pages to avoid getting blocked by security products and now they appear to have found a new way to obtain the domains they need, said researchers at Sucuri.
Attackers have been leveraging the fact that hosting providers, including some of the major ones, have failed to properly configure temporary URLs, the researchers said. These URLs, which look something like http://server-name/~username/, are offered to users in order to allow them to test their websites before linking them to their own domains.
When these temporary URLs do not end up configured properly, an attacker can gain access to one user’s files through any domain name on the same server. An attacker can register an account on a shared server, upload their phishing pages, and compile a list of other sites on that server.
If the temporary URLs are not set up properly, the phishing pages will be accessible from any of the neighboring domain names. If the attacker uploads the phishing page to /~attacker/phishing on their own site, the page will also be accessible from neighbor-site1.xyz/~attacker/phishing, neighbor-site2.xyz/~attacker/phishing, etc.
“As a result, one server account gives them hundreds of different domains for their malicious pages for free. They can frequently change the domains without disclosing the real location of the malicious files and without having to move their files to different places when the domains get blacklisted,” said Sucuri researcher Denis Sinegubko in a blog post.
Researchers found instances where a legitimate website ended up blacklisted because it was on the same server as a malicious site.
Website owners can check if they are affected by trying to access their sites using their own domain name (e.g. http://your-domain.com/~yourusername). If it works, the hosting provider has not configured temporary URLs properly.