Richard Clayton, a researcher at the University's Computer Science Lab, and Tyler Moore, of Harvard University's Center for Research on Computation and Society, found that three quarters of all phishing web sites are legitimate sites that have been compromised, and which have the attackers' own HTML pages added to host the phishing content. These sites were often found by searching for vulnerabilities using search tools like Google, according to their report, Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing.
The team analyzed sites by looking at publicly accessible logs created by the Webalizer, a popular web site statistics tool. This enabled the researchers to understand what search terms had been used to find the site. It found samples from 2 486 phishing web sites. Half of these sites had been found via search results, and of those, 204 had been found via 'evil' searches.
In 90% of cases, the logs showed that an 'evil' search was conducted either at or shortly before the web site was compromised, creating strong evidence that the web site had been compromised as a result of an attacker searching for vulnerabilities.
In many cases, the level of 'evil' searches may have been much higher, said the report. "Evil searches are only recorded in the website logs if the attacker clicks on a search result to visit the site. Using automated tools such as Goolag, or simple cut & paste operations, hides the search terms," it said. "This leads us to underestimate the frequency of evil searches." Goolag was a tool developed by the hacking group Cult of the Dead Cow, which automates the process of searching for vulnerable web sites in Google.
The team also found that a high percentage of phishing sites were being recompromised once they had been cleaned up. Around 19% of all sites were recompromised within six months. Evil searches featured heavily in recompromised sites, it said. Around 20% of sites recompromised within four weeks were done so using evil searches, compared with just under 15% that were compromised without using them.
"Vulnerable web sites that can be found through web search are likely to be repeatedly rediscovered and recompromised until they are ?nally cleaned up," the researchers explained.
Not all phishing sites were hacked, however. 17.5% of them were created using 'free' web hosts to which anyone can register and upload pages. Rockphish and fast flux attacks, in which malware-infected systems are used to host content and are accessed via fast-changing DNS servers, comprise 6.8% of phishing sites.