Last Updated: 2011-02-02 16:57:35 UTC
by Johannes Ullrich (Version: 1)
We have gotten reports of a phish group which may reside in Indonesia compromising large numbers of web servers. There isn't a lot of detail so far. One interesting facet is that the phish usually goes "live" on a Friday, probably in an attempt to maximize response time.
Each compromised site typically hosts phishing pages for multiple banks.
Many of the sites appear to have outdated versions of OS Commerce installed which is a likely source of the compromise.
If you have any logs willing to share: Please send them in via our contact form. We are trying to determine the exact entry vector (is it OS Commerce or something else?), maybe any tools used to achieve the compromise and anything else left behind besides the phishing pages.