A recent study by cybersecurity firm Kaspersky has revealed the techniques utilized by phishers to evade detection and exploit compromised websites for phishing attacks.
According to a technical write-up published by security researchers Tatyana Machneva and Olga Svistunova on Monday, one common strategy is the hacking of abandoned or poorly maintained websites. These sites become vulnerable due to outdated security patches, providing cyber-criminals an easy entry point. Phishers can then embed malicious content within these sites, often going unnoticed for extended periods.
Even active but smaller websites are not immune to such attacks, Kaspersky explained. Financial constraints and lack of security expertise make them appealing targets. As links to scam pages are often shared via email or instant messaging, the popularity of a website becomes less relevant to phishers than its susceptibility to compromise.
“Compromising legitimate website and hosting services has a higher return on investment for hackers because most organizations’ security tools are not tuned to detect these types of phishing threats,” said Patrick Harr, CEO at SlashNext. “This is why it’s important to have security tools that do detect and stop phishing on legitimate services.”
Additionally, the research highlights the prevalence of WordPress-powered websites in these attacks, with 43.1% of all websites on the internet relying on this content management system. Hackers frequently exploit vulnerabilities in plugins and the platform itself.
“The reason hackers go after WordPress sites like this is that the legitimacy of the website will lower people’s defenses when they hand over sensitive information and because it’s a nice way for hackers to bypass the issue of domain take-downs,” explained Hoxhunt CEO, Mika Aalto.
“Otherwise, attackers may set up malicious domains long before launching phishing campaigns so as to trick systems that automatically flag messages from newly created domains. Breaching WordPress sites solves this issue because the domains are not newly registered, and hackers can avoid the risk and hassle of registering a domain they intend to use for their malicious purposes.”
Read more on WordPress-focussed attacks: WooCommerce Bug Exploited in Targeted WordPress Attacks
Kaspersky’s study also provides insights into the methods employed by these malicious actors to infiltrate and manipulate control panels of hacked websites.
The report concludes by offering crucial takeaways for both website administrators and users. Recommendations include maintaining strong, unique passwords, adopting multi-factor authentication (MFA) and regularly updating server software.
Vigilance in detecting signs of phishing, such as unusual directory names in URLs and unrelated content, can help users further steer clear of potential scams.