Study finds hosting providers offer phishing paradise

Share this article:

Hosting providers are the new target for phishing attacks, according to a study released Thursday.

The Anti-Phishing Working Group (APWG), an international consortium that serves as a clearinghouse for phishing attacks, reported its findings from the second half of 2012. It found that 47 percent of all phishing attacks involve shared web hosting, like WordPress or Joomla.

Rod Rasmussen, co-chairman of the APWG's internet policy committee and the CTO of security firm Internet Identity, said phishers typically compromise one person's website, and they use "various tricks" to gain access to the main web server, which yields a universal directory of sites hosted as part of that shared server space. Then, using some commands, the attackers are able to install a phishing page on every one of those trusted sites.

"All you need to do is to get into one account on the server, and you can compromise the rest," Rasmussen said.

Saboteurs prefer this tactic because it helps them avoid detection.

"It often passes the muster through the anti-spam vendors because the domain [the phishing page is] appearing on has been around for a while and has a decent reputation, " he said.

Rasmussen said companies like WordPress can help users avoid this fate by enforcing strong passwords and providing regular updates.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.