By examining a phishing campaign, researchers at the Imperva Defense Center have uncovered new ways cybercriminals are leveraging compromised servers to lower the cost of phishing. Phishing is the starting point for most network and data breaches. The campaigns run mostly from compromised web servers and distribute all kinds of malware including ransomware. In this report, we present the different tools used to compromise web servers, phishing platforms offered as a service, fi nancial motivations and the business models of phishing campaigns. We also highlight the importance of intelligence sharing which helped attribute with high confi dence the phishing campaign to a group of known cybercriminals.
Phishing campaigns are often orchestrated from compromised web servers while hosting providers and businesses remain totally unaware of the malicious activity. Compromised web servers used in Phishing as a Service (PhaaS) platforms signifi cantly lower the costs of a phishing campaign and help the cybercriminals hide their tracks. The 2016 Verizon Data Breach Investigations Report (VZ DBIR) documents a signifi cant increase in phishing success over 2015 primarily due to human factors. Endpoint protection mechanisms have failed to contain the spread of malware. If more web servers are hardened, there is a good chance the phishing threat can be mitigated.
The best way to protect web servers from being compromised is to deploy web application fi rewalls (WAFs) that can detect and block advanced injection techniques. The phishing-based malware distribution mechanism relying on compromised servers can be contained only by increasing the security on web servers. If WAFs were deployed as ubiquitously as network fi rewalls, the cybercriminal industry would be seriously crippled.