Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Having Phish on Friday SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Having Phish on Friday

We have gotten reports of a phish group which may reside in Indonesia compromising large numbers of web servers. There isn't a lot of detail so far. One interesting facet is that the phish usually goes "live" on a Friday, probably in an attempt to maximize response time.

Each compromised site typically hosts phishing pages for multiple banks.

Many of the sites appear to have outdated versions of OS Commerce installed which is a likely source of the compromise.

If you have any logs willing to share: Please send them in via our contact form. We are trying to determine the exact entry vector (is it OS Commerce or something else?), maybe any tools used to achieve the compromise and anything else left behind besides the phishing pages.

https://isc.sans.edu/contact.html

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019

Johannes

3680 Posts
ISC Handler
Friday in Uncle Sugar is Saturday in Indonesia. I wonder if they are also taking advantage of the weekends when fewer IT staff are on duty and awareness is lower? They may have week day jobs too.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!