My next class:

Having Phish on Friday

Published: 2011-02-02. Last Updated: 2011-02-02 16:57:35 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

We have gotten reports of a phish group which may reside in Indonesia compromising large numbers of web servers. There isn't a lot of detail so far. One interesting facet is that the phish usually goes "live" on a Friday, probably in an attempt to maximize response time.

Each compromised site typically hosts phishing pages for multiple banks.

Many of the sites appear to have outdated versions of OS Commerce installed which is a likely source of the compromise.

If you have any logs willing to share: Please send them in via our contact form. We are trying to determine the exact entry vector (is it OS Commerce or something else?), maybe any tools used to achieve the compromise and anything else left behind besides the phishing pages.

https://isc.sans.edu/contact.html

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: oscommerce phishing
1 comment(s)
My next class:

Comments

Friday in Uncle Sugar is Saturday in Indonesia. I wonder if they are also taking advantage of the weekends when fewer IT staff are on duty and awareness is lower? They may have week day jobs too.

KBR

Feb 2nd 2011
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives