A number of small businesses utilise Content Management Systems (CMS) to build their websites. There are many free online programs that create the web pages and content, with the author needing very little knowledge of HTML. This can be a quick and cost effective solution for small businesses that need to gain a web presence quickly and cheaply. There is a multitude of plug-ins available in the software as well as templates, which provides common pages for websites, such as Blog, Contact Us, Shipping Info or RSS Feeds. Some of the most popular free CMS programs are Joomla and WordPress.
There are, however, risks that come with using these free CMS programs. If the people managing the programs don’t keep them up-to-date with current plug-ins, they could be making customers’ websites vulnerable to hacking. Customers install the relevant plug-in (like the Blog plug-info), but if they don’t keep on top of their website maintenance, they will potentially be using old Plug-ins, and be opening themselves up to security flaws.
These security flaws can then be abused by cyber-criminals to carry out phishing attacks. The hackers just run a Google Search for particular domains that are using files with known security flaws and they then know which websites are vulnerable. They break into those domains and launch their phishing attacks.
The Anti‐Phishing Working Group (APWG) is the worldwide coalition unifying the global response to cybercrime across industry, government and law-enforcement sectors. It runs its operations through a US-based, not-for-profit organisation. They provide the following information regarding how vulnerable websites can be hacked and used for phishing:
“A web site phishing attack often begins when a phisher breaks into or “hacks” a reputably legitimate web site. By “hacking a web site,” we mean that the attacker gains control of the server that hosts your web site and finds a way to either add phishing pages to the web site, change the content of the web site, or add software for execution or download to the web site. An example of adding pages to the site is when the phisher gains control over a legitimate website like www.example.com and then adds an unauthorized page in an obscure directory such as www.example.com/~sneaky/. The phishing email— the lure that draws a victim to the phishing site—may use an image or hyperlink to disguise the fact that when the victim attempts to visit a bank, an e‐merchant, or an organizationʹs customer or Intranet portal, the victim is really visiting www.example.com/~sneaky/stealyourID.html. Attackers may take great pains to make the unauthorized page (stealyourID.html) appear identical to the impersonated web page. This deception is intentional and is designed to trick users into entering sensitive information such as user accounts, passwords, credit card numbers, or other personal information.”
The most common way that most organisations will discover that their website has been compromised, is when a third party (probably a customer) notifies them of it. Here is a list of appropriate steps to take if such a situation occurs:
- Identify the type of attack
- Initiate appropriate containment actions
- Report the phishing URL to the APWG via email at firstname.lastname@example.org
- Initiate recovery and restoration actions
- Revisit the incident to study how and why the incident occurred
Note: Many organizations outsource web site hosting to service providers, so the above actions may need to be co-ordinated between the website owners and the hosts.
The APWG has published a document about what to do if your website has been hacked by phishers. It is available at www.antiphishing.org/reports/APWG_WTD_HackedWebsite.pdf.
It is a good idea to redirect any visitors attempting to visit a phished page to a web page you have prepared, that explains they have been tricked by a phishing email and that you have removed the malicious page they were supposed to be directed to. The APWG provides a standard “You’ve been phished!” redirection page and instructions for its use at http://education.apwg.org/r/about.html.
FraudWatch International recommends that clients look at files on APWG site to see how to protect against Phishing. There is also information which can teach users how to patch/fix their websites, so they are not vulnerable anymore.
Please contact us for more information on how FraudWatch International can help protect your organisation by monitoring your website traffic and server logs, often before attacks occur.