Having Phish on Friday
We have gotten reports of a phish group which may reside in Indonesia compromising large numbers of web servers. There isn't a lot of detail so far. One interesting facet is that the phish usually goes "live" on a Friday, probably in an attempt to maximize response time.
Each compromised site typically hosts phishing pages for multiple banks.
Many of the sites appear to have outdated versions of OS Commerce installed which is a likely source of the compromise.
If you have any logs willing to share: Please send them in via our contact form. We are trying to determine the exact entry vector (is it OS Commerce or something else?), maybe any tools used to achieve the compromise and anything else left behind besides the phishing pages.
https://isc.sans.edu/contact.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
KBR
Feb 2nd 2011
1 decade ago