Phish Hosted for Free

Since March 2010, and especially this month, the MarkMonitor Security Operations Center (SOC) has noticed a significant increase in the use of free web hosting services for phishing and malware attacks. Cybercriminals are using free hosting services to either host the phishing and malware sites themselves or redirect to fast-flux malicious sites.

Here is how this new attack method works: Emails with links, obfuscated by the use of HTML or a URL shortening service, direct victims to a free-hosted web page. In some cases, this page would be a phishing or malware site. In other cases, the landing page would have Javascript which would seamlessly redirect users to a malicious site hosted on a fast-flux botnet.

The free hosting-fast-flux combination is particularly interesting because it indicates cybercriminals have added another, front-end layer to their fraud infrastructure for greater stealth and resilience:

  • Layer 1: Free-hosted webpages with Javascript redirectors
  • Layer 2: Constantly changing compromised PCs that serve as proxy redirectors
  • Layer 3: Phish or malware domains

The SOC believes free hosting services are becoming popular with cybercriminals because these services give cybercriminals unlimited free resources to launch their attacks and to protect their expensive fast-flux infrastructures.

In addition, cybercriminals are able to set up malicious sites on free hosting services much more easily than registering malicious sites with ISPs or registrars. Typically, cybercriminals would register their malicious sites using stolen credentials. With free hosting services, cybercriminals may now open accounts and set up their malicious sites by simply using email addresses created on free email services.

MarkMonitor‰Ûªs SOC believes that this new development of free hosting combined with fast-flux, especially as seen this month, suggests the tell-tale signs that something on a larger scale may occur this summer. The emergence of free hosting front-ends to fast-flux botnets may indicate that cybercriminals have been beta-testing their new attack infrastructure in recent months before a general release in August, the historical high point of phishing each year. Stay tuned ‰Û_