[Web4lib] Phishing exploits in emails

Ben Reiter reiterbe at mail.lib.msu.edu
Wed Feb 7 18:08:49 EST 2007 

Having been a webhosting support tech and sysadmin in a previous life, I
can say that it is _very_ common. Usually, a vulnerable installation of
e.g. a PHP forum, combined with world-writable (mode 777) directories,
are exploited to get the malicious content in an out-of-the-way place on
the victim's site. (in this case, a hidden 'support' directory under
'pack46').

A common sibling to the compromised website is the spam script, which is
often run on a victim's server to send out the actual phishing spams.
They are usually done in the same fashion, with a vulnerable script
being tricked into downloading a malicious file from a remote location
to the local /tmp directory, and then running it. The smarter ones
delete the script after starting it, so you have no file to look for,
and by spawning and killing many child processes (so there's no one
'monolithic' spam process to kill).

All you can really do is make sure that your code and server are
well-designed and hardened. There's no shortage of wide-open sites and
insecure scripts for these spammers to exploit. A small organization
(like a local church) rarely has the person-hours or expertise to
harden, much less audit, its site, and often they don't realize that
they have been compromised until they get a phone call like yours.

> I have been getting a lot of phishing emails supposedly from Amazon.
> It is quite irritating since I do a lot of business on Amazon.  I looked
> at the source code for one of the messages and found this web address:
> //www.holyspirit-indy.org/pack46/.support/www.amazon.com/flex/sign-out.h
> tml/2Fhomepage=protocol=httpsaction=sign-out/exec.php?cmd=sign-in
>  
> I went to the website www.holyspirit-indy.org and found the website for
> the Holy Spirit Catholic Church of Indianapolis.  I called them to tell
> them that their webserver was being used for phishing exploits.  The
> priest I talked to was quite happy to have my phone call.  He was going
> to talk to their website administrator.  Is this type of hack common and
> how do idiots get this type of access?  I am curious since most of the
> phish e-mails I get come from places like China, South Korea, or Russia.
>  

Ben Reiter
Library Web Services
Michigan State University
reiterbe at mail.lib.msu.edu

"On two occasions I have been asked [by members of Parliament],  'Pray,
Mr. Babbage, if you put into the machine wrong figures, will  the right
answers come out?' I am not able rightly to apprehend the  kind of
confusion of ideas that could provoke such a question."
- Charles Babbage

More information about the Web4lib mailing list