What to Do If Your Website Has Been Hacked by Phishers

An APWG Industry Advisory

Committed to Wiping Out Internet Scams and Fraud

January 2009

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

OVERVIEW WEB SITE PHISHING ATTACK SCENARIOS IDENTIFICATION REPORTING (NOTIFICATION) CONTAINMENT RECOVERY FOLLOW-UP CONCLUSIONS REFERENCES 3 4 6 8 10 13 15 17 17

CorrespondentAuthorsContactData:
SuzyClarke,Suzy.Clarke@asb.co.nz DavePiscitello,dave.piscitello@icann.org Disclaimer:PLEASENOTE:TheAPWGanditscooperatinginvestigators,researchers,andservice providershaveprovidedthismessageasapublicservice,baseduponaggregatedprofessional experienceandpersonalopinion.Theserecommendationsarenotacompletelistofstepsthatmay betakentoavoidharmfromphishing.Weoffernowarrantyastothecompleteness,accuracy,or pertinenceoftheserecommendationswithrespecttoanyparticularregistrarsoperation,orwith respecttoanyparticularformofcriminalattack.PleaseseetheAPWGwebsite http://www.apwg.orgformoreinformation.Institutionalaffiliationsareprovidedfor identificationpurposesanddonotnecessarilyrepresentinstitutionalendorsementofor responsibilityfortheopinionsexpressedherein.

An APWG Industry Advisory

http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

PrincipalInvestigators: SuzyClarke,ASBBank DavePiscitello,ICANN

ContributingResearchers
JoeStSauver,PhD, UniversityofOregon RyanMacfarlane,FBI PaulLaudanski,Microsoft PaulNankervis,NationalAustraliaBank DavidZamler,FederationofSecurityProfessionals DarrenBilby,Google

Overview
Somephishersusecompromisedcomputerstohostmaliciousorillegalactivities, includingidentitytheft,fraudulentfinancialactivities,aswellascollecting personalinformationandbusinessidentitiesfromtheirvictimsforfutureuse. Othersattackorhackintoandgainadministrativecontroloverthelegitimate websites1ofbusinessesandorganizationsofallsizes.Suchhackedwebsites disguisethebadactsthephishersperform.Moreimportantly,websitehackersare fullyawarethatthewebsitestheyhackandownarereputablylegitimate.Law enforcementandantiphishingrespondersrespectandoperateunderestablished business,technical,andlegalconstraintswhentheyseektoremedyortakedown hackedwebsites.Thesemeasuresprotectlegitimatewebsiteoperatorsbut unfortunatelyservetheattackeraswellbyextendingthedurationoftheattack. TheAntiPhishingWorkingGroup(APWG)offersthisdocumentasareference guideforanywebsiteowneroroperatorwhosuspects,discovers,orreceives notificationthatitswebsiteisbeingusedtohostaphishingsite.Thedocument explainsimportantincidentresponsemeasurestotakeintheareasof identification,notification,containment,recovery,restoration,andfollowupwhen anattackissuspectedorconfirmed.

Thisdocumentservesaguidelineforwebsiteowners.Thelistofresponses describehereisnotexhaustive.Weprovidealistofcomplementaryresourcesto helpwebsiteownerslearnmoreabouteachrecommendedaction.Inseveralcases, thedocumentmentionssoftwarethatawebsiteownermayfindusefulwhen attemptingtoperformrecommendedactions.Thesoftwarelists,too,arenot exhaustive.Theexamplesprovidedintheselistsarerepresentativeofaverybroad setofcommercialandopensourceprogrammingsolutions.Websiteownersare encouragedtoresearchandexperimentwithothersoftwareaswell. Manyactionswillrequirebusiness,technical,andlegalexpertisethatarebeyond thescopeofthisdocument.Websiteownersareencouragedtodiscusssuch matterswithexpertsineachofthesedisciplines.
1

http://www.theregister.co.uk/2007/07/10/plug_and_play_phishing/

An APWG Industry Advisory

http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

Web Site Phishing Attack Scenarios

Awebsitephishingattackoftenbeginswhenaphisherbreaksintoorhacksa reputablylegitimatewebsite.Byhackingawebsite,wemeanthattheattacker gainscontrolofthecomputer(server)thathostsyourwebsiteandfindsawayto eitheraddphishingpagestothewebsite,changethecontentofthewebsite,or addsoftwareforexecutionordownloadtothewebsite. Anexampleofaddingpagestothesiteiswhenthephishergainscontrolovera legitimatewebsitelikewww.example.comandthenaddsanunauthorizedpagein anobscuredirectorysuchaswww.example.com/~sneaky/.Thephishingemail thelurethatdrawsavictimtothephishingsitemayuseanimageorhyperlink todisguisethefactthatwhenthevictimattemptstovisitabank,anemerchant,or anorganizationscustomerorIntranetportal,thevictimisreallyvisiting www.example.com/~sneaky/stealyourID.html.Attackermaytakegreatpainsto maketheunauthorizedpage(stealyourID.html)appearidenticaltothe impersonatedwebpage.Thisdeceptionisintentionalandisdesignedtotrick usersintoenteringsensitiveinformationsuchasuseraccounts,passwords,credit cardnumbers,orotherpersonalinformation. Thefollowingsequenceillustratesarepresentativehackedwebsiteresponse scenario. 1. Athirdpartynotifieseitherthewebsiteoperatorordomainownerthatits websiteiscompromised.Together,thepartiesattempttoverifythirdpartys authenticitywhiletheyinvestigatetheclaim. Alternatively,thewebsiteowneroroperatormaysuspectordiscoverthe websitephishingattackthroughselfexaminationorwebsiteintrusion monitoring.Inthiscase,theowneroroperatorinitiatewhatevercontainment actionstheydeterminetobeappropriateandproceedtostep(3).(Seethe sectionentitledContainmentforadditionalinformation.) 2. Thewebsiteownerreportstheincident.TheAPWGstronglyencourages websiteownerstoreportthephishingURLtotheAPWGviaemailat reportphishing@antiphishing.org.(SeethesectionentitledReportingfor additionalinformation.) 3. Ifboththethirdpartyandtheclaimarelegitimate,thewebsiteowner authorizescontainmentandthewebsiteoperatorinitiateswhatever An APWG Industry Advisory
http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

containmentactionsthepartieshavedeterminedtobeappropriate.(Seethe sectionentitledContainmentforadditionalinformation.) 4. Thewebsiteownerandoperatorinitiaterecoveryactions.Here,bothparties assessthedamagetoidentifywhatdataandservicesmustberecovered.The timelineassistspartiesindeterminingwhetherdatarecoveryisrequiredand whetherthereisanyaccuratedataavailableforrecovery.(Seethesection entitledRecoveryforadditionalinformation.) Thewebsiteownerandoperatorinitiaterestorationactions.Here,efforts focusonreturningthewebsitetofull,uncompromised,normalactivity. (SeethesectionentitledRestorationforadditionalinformation.) Thewebsiteownerandoperatorrevisittheincidenttostudyhowandwhy theincidentoccurredtodeterminewhatadditionalmeasuresmightbetaken toreducethepossibilityoffuture,similarincidents.(Seethesectionentitled FollowUpforadditionalinformation.)

5.

6.

Note:(2)and(3)mayoccurinreverseorder,dependingontheorganizations preparednessandhowitisstructured.Someorganizationsempowerwebsite operatorstocontainwithoutpriorapprovalwhileothersdonot. Manyorganizationsoutsourcewebsitehostingtoserviceproviders.Thirdparty webhostingprovidersshouldhavetheirownproceduresfordealingwith phishingsiteshostedontheirservers.Askyourhostingprovidertodiscussthese procedureswithyoubeforeaneventoccurs.Allwebsiteownersshouldalsomake certainthatthewebsitehostingprovideriscontractuallyobligatedtonotifythem intheeventofahackedwebsiteincident,andbothpartiesshouldagreeona commonsetandorderofresponseactionsinadvance.Ifyourwebsitehosting providerindicatesitdoesnothaveproceduresinplacetodealwithwebsite phishingattacks,pleasereferthemtothisdocument.

An APWG Industry Advisory

http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

Identification
Stealth,evasion,andcovertoperationaptlydescribehowphishersandother attackerscompromiseandremotelyoperatesystemsthathostwebsites. 1. HowcanIknowifourwebsitehasbeenattacked? Themostcommonform ofidentification(notice)includesThirdParty Notifications.Youmayreceiveanoticebyphoneoremailfromanindividualor organizationthatclaimsknowledgeofanattack.Obtainasmuchinformationfrom thethirdpartyaspossible,including: a) Thepersonsname b) Nameoftheirorganization c) Returncontactinformation(phone,email,postaladdress,organizationsweb site) d) Webpage(s),includingtheURL(link)thepartyallegestobeaphishwebsite e) Natureofattack(attempttostealpersonalinformation,tocompleteabogus creditcardtransaction,toobtainuseraccountcredentials,etc.) f) Adescriptionofanymaliciouscontentthatappearstobedownloadablefrom yourwebsite(e.g.,spyware) Usethisinformationtoreporttheincidentinaccordancewithapredetermined incidentreportingandresponseplan.(SeethesectionentitledReportingfor additionalinformation). 2. CanItrustthirdpartynotifications? No,theclaimmaynotbeaccurate.Whileanoticefromthirdpartywhosuggests thatyourwebsitehasbeenhackedisunsettling,remaincalm.Besuspiciousifthe partyrefusestoprovidetheabovementionedinformationtoyou.Donotbe frightened,coerced,orotherwisesociallyengineeredintotakinganyactionthe partyrecommendsbeforeyouinvestigatetheclaim.Attempttocorroborateall contactinformationquicklyandbeforeyouescalatetheclaimthroughanincident responseprocess.Forwardanycourtorder,criminalcomplaintorsubpoenato yourownlegalcounselforreview. 6 An APWG Industry Advisory
http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

3. HowcanIidentifywebsitephishingattacks? Organizationsthatproactivelymonitortheirwebsitescan(anddo)discoverweb sitephishingattacks.Herearesomeexamplesofhowvariousproactive monitoringcanhelpyouidentifyattacks: a) Trafficmonitoring.Yourwebsitedevelopersoryourinformationtechnology (IT)staffmaynoticeunusualaccesstoyourwebsite,unusualtrafficvolume directedatyourwebsite,orunusualtrafficemanatingfromyourwebserver, oranunusualnumberofrequestsfornonexistentURLs.Forexample,aweb serverdevotedsolelytohostingwebpagesthatbegintotransmitthousandsof emailmessagespersecondmeritsinvestigation. b) Filesysteminspection.Throughroutineinspection,yourauthorizedstaff mayidentifysuspiciousfiles,directories,orexecutableprograms;again, imagineifyourstaffdiscoversadatabaseofcreditcardinformationonyour webserverandnoneofthecustomersareyours. c) Webserverconfigurationinspection.Throughroutineinspection,your authorizedstaffcandetectunauthorizedorunintendedchangesinweb serveroroperatingsystemconfigurations;forexample,imagineifyourstaff discoversthatyourdedicatedwebserverishostingInternetRelayChat(IRC) sessions. Eventloggingandreportingsystemsareextremelyimportantsourcesfor identifyingwebsiteattacks.Takeadvantageoffirewall,webserver,server operatingsystem,andserverapplicationlogs.Theseoftencontaininformationthat allowsdailyoperationsstafforincidentresponse(IR)teamstodeterminehowa phishergainedunauthorizedaccesstoyoursystems. Attackersarefullyawareoftheforensicvalueofeventlogs,soitisimportantthat youtakemeasurestoprotectyourlogcollectionandreportingsystemfromattack. Establishasecurearchivalandretrievalprocessforeventlogs.Inaddition,make copiesoflogsfrombefore,during,andafteranincident.Thesemayprove invaluableatalatertime,forexampleduringsubsequentinvestigationsintothe incident. Larger organizations may wish to consider a centralized (networked) logging system too. Centrally maintained logging may be less vulnerable to destruction or manipulation by attackers than on system logs. (Seethesection entitledFollowUpforadditionaldiscussion.) An APWG Industry Advisory
http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

Recordthewebpage(s)orsuspiciousactivityorconfigurationandreportthe incidentinaccordancewithapredeterminedincidentreportingandresponseplan. 4. Cansecurityassessmentshelpidentifywebsitephishingattacks? Yes.Yourorganizationoryourwebsitehostingprovidershouldconsiderroutine examinationsorscansofwebserversforsuspiciousorknownmalicious programs,improperlypatchedcomponents,andconfigurationsthatdonotcomply withapplicablesecurity(orregulatory)policies.Yourstaffcanperformasecurity assessmentusingawebapplicationvulnerabilityscanner.Freeandopensource examplesofsuchtoolsincludeBacktrack,HackerGuardian,Nessus,Nikto,and Sandcat(Note:asearchenginequeryforwebapplicationscannerswillyield multipletrusteddownloadsitesfortheseandsimilarapplications).Security consultantsandauditorscanperformmoreexhaustiveassessmentsandcanbe contractedtodosoonarecurringbasis.Yourstaffcanimproveantihackingand securewebapplicationdesignandprogrammingbyregularlyperformingscans. Acarefulsecurityassessmentshouldcomparethecontentonyourwebserver againstknowntobecorrectversionsthecontentyouintendedtohost.Eyeballing filesorcomparingfilesizesisnotsufficient:usechecksumsgeneratebyapplications suchasOpenSourceTripwiretoassurethatfilesareidentical.Whenyouperform suchassessments,generateadetailedreportthatcanbeusedinaccordancewitha predeterminedincidentreportingandresponseplan. Onceyoususpect,havediscovered,orbeennotifiedthatyourwebsiteishostinga phishingsite,reporttheincident,inaccordancewithapredeterminedincident reportingandresponseplan.

Reporting (Notification)
1. ShouldIreporttheincident? Theexactreportingprocedureandthepartiestowhomaphishingwebsite incidentaredisclosedmaybeinfluencedbybusiness,regulatory,andlegal responsibilities.Aspartofanoverallsecuritystrategy,organizationsthatoperate publicfacingwebsites(inparticular,thosethatcollectpersonal,financial,and othersensitiveinformation)shouldconsultwithexecutives,communications personnel(e.g.,publicrelationsdepartments),andlegalcounseltoaskthatthey provideinputtotheincidentreportingproceduresthatspecificallyaddressweb siteattacks. 8 An APWG Industry Advisory
http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

2. TowhomshouldIreportit? Asyouprepareyourreportingprocedures,considerwhenandhowtoreportyour incidentto: a) Antiphishingnetworks b) Antivirusandantimalwareorganizations (Incaseswhereyoudiscovermaliciousexecutablesorscripts) c) CERTorganizations d) CommonVulnerabilityandexploit(CVE)disclosurelistadministrators(in caseswhereyoudiscoveravulnerabilityorbugincommercialsoftware) e) Customers f) Lawenforcement,e.g.,throughtheInternetCrimeComplaintCenter1 g) Regulatorycomplianceagencies h) Softwaredevelopers (Incaseswhereyoudiscoverbugsincustomapplicationsoftwareor webwaredevelopedexclusivelyforyourorganization) i) Anyindividualororganizationdirectlyaffectedbythephishingattack,even iftheydonotfitintooneoftheothercategorieslistedabove. j) Thegeneralpublic Someofthesenotificationswillnotalwaysbeapplicableorappropriatefora particularincident.Ifyourwebsitebelongstoacorporation,anotforprofit organization,agovernmentagency,oranyorganizationthatmustsatisfy regulatorycompliancecriteria,youshouldreportawebsitephishingattackthat resultsinamaterialbreachtoexecutivemanagementorinhouselegalcounsel. Evidenceofawebserverbreachthathasdatabreachimplicationsinthecontextof healthcare,privacy,orfinancialreportingregulationsmayinstigateafullreview ofthecompromisedsystemtodeterminetheextentofcompromiseandalsoto determinewhat,ifany,complianceviolationsmayhavecontributedtoorresulted fromtheincident. Managementandlegalcounselarebestsuitedtoprepareandcoordinateexternal reportingandnotificationtoresponseteams,CERTS,regulatoryagencies,andlaw enforcement.Communicationsdepartmentsshouldbeconsultedpriortocontacting
The Internet Crime Complaint Center (IC3, http://www.ic3.gov) provides a central referring mechanism for cyber criminal complaints. IC3 accepts complaints from Internet users and refers them to appropriate (local, state, federal and international) law enforcement and regulatory agencies.
1

An APWG Industry Advisory

http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

customers,thepress,andgeneralpublic.Theyhavethetraining,skills,and relationshipsneededtoeffectivelycommunicateinformationpertainingtoan incident,andexperiencemanagingreactionstowhatmaybealarmingnews. Havingwelldocumentedincidentreportingproceduresinplacetypicallyassures thateveryoneintheorganizationunderstandsherroleinthereportingprocess.It minimizesconfusion,delays,anderrorsinrespondingtoanincident;limitsworry overembarrassmentandtarnishtobrand;anditexpeditescontainment,recovery, andrestoration. IncidentreportingproceduresmayrequirethatyoucontactyourITsupport,web hostingprovider,andISPsothatallpartieswhoparticipateinprovidingor supportingyourpublicwebpresenceareengagedintheresponse.Eachpartymay havespecificactionstheyneedandexpectyoutotakeinadditiontothoseoutlined inthisguide.Bepreparedtoprovideallrelevantinformation,suchaslogsfrom yourwebserver,firewall,andoperatingsystem,aswellascopiesofthe unauthorizedcontent,dates,andtimesthatyouweremadeawareoftheissue (alsoknownasanincidenttimeline).Keeparecordofwhatinformationyou provided,andtowhom. Theseadministrativeactionshelpinformtheappropriatepeopleaboutthe incidentsothatyoucanensureamoreunifiedresponse. APWGencouragesyoutoreportthephishingsiteURLtotheAPWGviatheemail addressreportphishing@antiphishing.org.Reportingtothisaddresswillcause mostantiphishingorganizationstoreceiveanotificationofthephishingwebsite. Securityproducts,e.g.,antiphishingtoolbars,willbeupdatedwiththeoffending URL,thusofferingprotectiontothousands,ifnotmillionsofpotentialvictims. Ifyoureunsureaboutwhomyoushouldreporttheincidentto,seekadvicefrom inhouseorexternallegalcounselorprofessionalincidentresponseorganizations.

Containment
Considerthefollowingissuesifyouhavethenecessarylevelof(administrative) accesstoyourwebsite.Ifyououtsourcewebhosting,discusscontainment measuresinadvancewithyourwebsitehostingprovidertoassurethatyouand yourproviderhavethesameresponsestrategyoryoumaywastetimeresponding ontheflythatmightotherwisebespentminimizingdamageandloss. 10 An APWG Industry Advisory
http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

1. ShouldImakeacopyoftheunauthorizedcontent? Generally,yes.Saveacopyofthephishingsitepagesandanyunauthorized content,scripts,orexecutableprogramsyoudiscoverduringyouranalysis.These willhelpwebsiteoperators,systemadministrators,and/oranIRteamtoverify thatthecontentchangewasunauthorized,intentional,andmalicious.Theymay alsohelptodeterminewhichvulnerabilityletthephishersalteryourwebsite.You maywishtocopytheunauthorizedcontentassoonasyouisolateanddiscover eachpage,executableprogram,etc. If you or your hosting provider cannot obtain a disk copy of the system involved in the phishing, consider creating a logical copy, i.e., copy the files and preserve the folder structure. When creating a logical copy of files from the compromised computers, use tools such as Robocopy or the Unix cp command. Pleasenotethatcertaincontentinparticularcontentsuchaschild pornographyposesseriouslegalimplicationsifplacedinthepossessionof personswhoarenotlawenforcementagentsorarenotactingonbehalf(andwith fullknowledge)oflawenforcement.Ifyoufindanyindicationthatillegalcontent ispresentonyoursystem,donotmakecopies!Stopallinvestigativeactivities, contacttheappropriatelawenforcementinyourjurisdiction,andfollowtheir instructionsregardinghowtoproceed. 2. ShouldItakemysiteoffline(temporarily)? Youmustdecideinadvancewhetheritsappropriatetosuspendservicetoyour websiteforashortperiodoftimewhileyouattempttoinvestigatetheattack. Makethisdecisionaspartofdefiningyouroverallincidentresponsehandling strategy.Thisstrategypreventsadditionalvisitorsfromfallingvictimtothe phishingscamandalsopreventsthephisher/attackerfromremotelycontrolling yourwebsite.ConsultwithITandIRteamstodeterminewaystoshutdownyour sitewithouttheriskoflosingtracesofthephishersactivities,andconsultwith lawenforcementandapplicableregulatorycomplianceexpertstounderstandthe implicationsoftemporarysitesuspension. Youmaybeadvisedorchoosetoleavethesiteonlinelongenoughtoprovide incidentresponseteamsandlawenforcementwithanopportunitytomonitorthe phishersactivities.Ifyouchoosetostayonline,askyourIRteamorlaw enforcementwhetheryoushouldchangeadministratoranduserpasswords immediately.Someinvestigatorsmaywanttocontinuetomonitoranattackers 11 An APWG Industry Advisory
http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

useofacompromisedaccount.DiscusswithyourIRteamwhetherthephisher appearssophisticatedenoughtohaveinstalledaprogramthatwillattemptto deleteallevidenceofhisactivitiesupondetectionoflossofaccess. 3. ShouldIdisabletheunauthorizedcontent? Ifyoudochoosetokeepyourwebsiterunning,removeordisableaccesstothe unauthorizedwebpagesofthephishingsite.Makecopiesof,removeandsubmit anymaliciouscontenttoanantivirusorantispywarevendor.Redirectanyvisitors attemptingtovisitaphishedpagetoawebpageyouhavepreparedthatexplains theyhavebeentrickedbyaphishingemailandthatyouhaveremovedthepage theywereluredintovisiting.TheAPWGprovidesastandardyouvebeen phished!redirectionpageandinstructionsforitsuseat http://education.apwg.org/r/about.html.Thisstrategywillpreventfurtheruseof thephishingsite,keepyourcustomersinformed,keepyourwebsiteonlineforreal timeanalysis,andaffordyouadditionaltimetoperformcontainmentactions. 4. Arethererightandwrongwaystomakecopiesofcontent? Howyoumakecopiesmatters.Filesystembasedcopies(e.g.,copyingfilesfrom thecompromisedsystemtoremovablemediaortoanetworkfileshare)donot havetheforensicandevidentiaryvalueasafull(sectorbysector)diskorpartition copy.TheUnixddandWinDDutilities,NFGDump,andSelfImageareexamples ofutilitiesyoucanusetocreatecloneimagesoftheentireharddiskand partitionwhereyoudiscoveredthephishersunauthorizedcontent.Itisoften useful(ornecessary)tocopycontentfromthecompromisedsystemusinga bootablerescueCD(alsocalledLiveCD).ProgramssuchastheTrinityRescueKit, Knoppix,Helixfromwww.efense.comorSLAXareexamplesofsuchutilities. TheseandotherusefulforensicsoftwaretoolsarefreelyavailableundertheGNU GPLorsimilaropensourcelicenses(asearchenginequerywillyieldmultiple downloadsitesfortheseapplications,pleaseexercisecareandverifyboththetool anditsorigin). Savecopiesofyourwebsiteandalleventlogsthatmaybeusefulforincident analysisoffline,e.g.,onaDVD,CD,oronincreasinglyaffordableportablehard drivedevices.Include(digitallysigned)checksumsorhashesofyourwebpages onthisDVD/CDsothatitiseasytodistinguishyourintendedandauthentic contentfromunauthorizedsubstitutionsandadditionalcontent.Manyhash generatorprogramsandfilesystemantitamperingsoftwareareavailableforthis purpose.Considercreatingimagesofcompromisedwebserveroperatingsystem andapplicationpartitionsforforensicanalysisandfollowup. An APWG Industry Advisory
http://www.apwg.org info@apwg.org

12

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

Recovery
Recoverycanbeaslowandcostlyprocessifyouhavenotpreparedproperlyin advance.Dontwaitforanincidenttoarchiveyourauthenticcontent.Routinely saveandarchivecopiesofyourwebsiteandlogstoalocationoutsideoftheweb root.Saveallconfigurationfilesandmaintainacarefulrecordofconfiguration updates.Ifpossible,burnallthisdataalongwithacopyofyourwebsitetoaDVD, CD,orcopytoaportableharddrivedeviceorbackupsystem. Considerroutinelycreatinganexactcopyofyourwebsiteforbackuppurposes.In additiontoarchivingyourcontent,createimagesofwebserveroperatingsystems andapplicationpartitionsaswell.Thesecanbeespeciallyhelpfulinrestoring systemstoaprevious,knownsecurityprofile;forrestoringsecurityconfiguration files;andforrestoringoperatingsystemstoaknownpatchlevelandknownsetof testedandapprovedpatchesandhotfixes. Periodicallyorroutinelyrestorefilesfromarchivedmediatomakecertainthat yourbackupprocedures,media,anddevicesareinworkingorderandthatthe backupsyoumakedoindeedrestoreyourwebsitetothestateyouintendedwhen designingtheprocedure.Therestoreoperationsdescribedbelowarebest performedoffline,usinglocaladministrationonasecurednetwork(e.g.,from behindafirewall). 1. ShouldIrestorefrombackuporrebuildfromscratch? Theonlywaytoensurethatyourserversarecleanistorebuildfromoriginal installmediaortodoanOSrestorefromknowngoodbackupsinofflinemode,as recommendedabove.(Ifyoucannotrebuildorrestoreoffline,dosoonlinebut behindafirewall).Priortorestoringfromabackuporrebuilding,youmust determinewhenandhowthewebsitewascompromised.Knowingwhenthe compromiseoccurrediscriticalbecausethisidentifiesthelastknowngoodbackup ofyourcontentandotherrecoveryimages.Whenalsoestablishesapointintime afterwhichallarchivesofyourwebsitemustbetreatedassuspect.Thesemaybe relevanttoanyforensicinvestigationyouconductforthisincident. Determininghowyoursystemswerecompromisedbeforeyourebuildorrestoreis criticallyimportant.Thephisherdiscoveredavulnerabilityaconfigurationerror orsoftwarebugandexploitedthistoobtainadministrativeaccesstothe system(s)thathostyourwebsite.Ifyoudonotcorrectthisvulnerability,the 13 An APWG Industry Advisory
http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

phisheroranotherattackerwillinvariablyexploititagain. 2. WhenshouldIupdatemysoftwareandcheckmyconfiguration? Whenyourestore,youreturnyourwebsitetoaknowngoodstate,butyouare alsogoingbackintime.Itispossiblethatpatches,securityupdates,and configurationchangeswereintroducedduringtheinterimbetweenthecurrent dateandthedateofyourrestoreimages.Ifyouarerebuildingfromoriginal mediae.g.,Windows2003Server,OpenBSD,orLinuxinstallationCDsitis evenmorelikelythatyourinstallationmediaaremissingcriticalupdatesthatwere releasedafteryouobtainedthemedia.Beforeyoureturnyourwebsitetoa productionenvironment,updateallofyoursoftwaretothelatestversionsand installallrelevantpatchesandhotfixes.Thisincludespatchingoperatingsystems, thirdparty,andcustomapplicationsthatyoumayhaveinstalledonyoursystems. ItisextremelyimportantthatyouverifythatyourwebserverOSandapplications areconfiguredproperly.Duringtherestoreprocess,youmayinstalladefault configuration(commonwhenyourebuildfromscratch)oraconfigurationthat youhadmodifiedsubsequenttothedateofyourrestoreimages.Performa securityassessmenttoverifythattherestoredsystemisconfiguredcorrectly(and securely)beforeyoureturnthewebsitetoaproductionenvironment. 3. ShouldIchangeallmypasswords? Whenyouareconfidentthatyouhaverestoredyourwebsitetoanauthenticand normaloperatingstate,thatyouhaveinstalledallnecessarysoftwarepatchesand hotfixes,andafteryouhavetakenmeasurestomitigatethevulnerabilitiesthe phisherexploited,changeallthepasswordsusedtoaccessaccountsonthehitherto compromisedsystem(s).Thephishersmayknowthecurrentpasswords.Itis importanttoacknowledgethatevencompetentusersandadministratorsusethe samepasswordonmultiplesystems(somebusiness,somepersonal,andsome public!),soconsiderwhetheritisappropriatetoperformanextensivepassword resetprocedure.Someorganizationsmayalsowanttoconsiderthemeritof implementingmultifactorauthentication,e.g.,ahardwarecryptographictoken,to makeloginprocessesmoresecure. Changingpasswordsonaregularbasis(e.g.,every30days)isconsideredagood operationalpracticeingeneralandanessentialpracticeforwebandsystem administrators.Incidentsraiseawarenessoflaxpracticesandcreateincentivesto improvebothsecuritybaselinesandroutinemaintenanceschedules,sotakethis An APWG Industry Advisory
http://www.apwg.org info@apwg.org

14

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

opportunitytodefinearigorouspasswordsecuritypolicythatnotonlyenforcesregular passwordchanges,butminimumlength(e.g.,8characters)andcomplexitycriteria(e.g., passwordmustcontainupperandlowercaseletters,numbers,andspecialcharacters). Whileyouarefocusedonpasswordmanagement,makesurethatallformsofremote authenticationandloginsareperformedoverencryptedconnections. Unlessotherwisedirectedbyaforensicsteamorlawenforcement,change passwordsimmediatelyandthenagainonceyoubelieveyouhavecompleted remediationandhaverestoredyoursite.Thissignificantlyreducestherisk anattackerwillcontinuetouseyouraccountwhileyouareattemptingto remediate.

Follow-up
Organizationsbenefitfromapostmortemanalysisofanincident.Duringthis analysis,studytheentirechronologyofeventsleadingto,during,andfollowing thewebsitephishingattack. 1. WhatlessonshaveIlearned? Duringthefollowupprocess,ask,WhatwouldIdodifferentlynexttime?and WhatprocesseswouldIchangenowtoavoidasimilarsituationinfuture?as wellasanysimilarlytoughquestionsyouneedtoanswer. Gatherwebsiteowners,operators,serviceproviders,ITandIRteamstoshare informationabouttheincident.Taketimetofamiliarizeallpartieswiththe anatomyoftheattack.Identifycharacteristicsoftheattackthatmightbeusefulin earlydetectionoffuture,similarattacks.Identifysoftware,configuration,and operationalchangesthatareconsideredappropriateandnecessarytoprevent similarattacksinthefuture. 2. HowcanIdobetter? Websitesareprimetargetsforphishers.Considerthefollowinglistof recommendedpracticesforminimizingawebsitesvulnerabilitytoattackby phishers. a) ServerOShardening.Hardeningisaprocessofsecuringanoperating systemsothatitisdifficulttoattack.Usecommercialandopensource vulnerabilityscannersandsecuritybaselineanalysistoolstoidentify 15 An APWG Industry Advisory
http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

b)

c) d)

e)

f)

g)

unnecessaryservices,accounts,andimproper(exploitable)configuration settings.TheCenterforInternetSecurityoffersanalysistoolsandsecurity templatesforcommercialandopensourceoperatingsystemscommonlyused forwebserverhosting. Webapplicationhardening.Webapplicationhardeningisaprocessof securingwebserverapplicationsoftware(MicrosoftIIS,Apache,etc.),web applicationsandscripts,anddynamiccontentagainstattacks.Again,use commercialandopensourcewebvulnerabilityscannerstoidentifyimproper configurationsettingsandexploitablecontent.Considerusingacommercialor opensourcewebapplicationfirewallsuchasModSecurityprovideinline,real timeexaminationofincomingwebtrafficforattackpatternsandanomalies. Patchmanagement.Maintaincurrentpatchlevelsonalloperatingsystems andapplicationsusedforyourwebsite. Secureprogramming,safescripting.Donotuseexecutableprograms withoutverifyingtheauthenticityandtrustworthinessofthedeveloperand theintegrityofthecodeitself.TheOpenWebApplicationSecurityProject (OWASP)isausefulsourceforlearningaboutsecureprogrammingandsafe scripting(formoreinformationonOWASP,seetheReferencessectiononpage 17).Onlyuseexecutableprogramsfromtrustedcommercialvendorsand trustedopensourcedeveloperswhoseworkproductsaretypicallyMD5 hashedanddigitallysigned.Donotuseeventhemosttrivialscriptswithout reviewingthesource:becertainyouknowexactlywhatthescriptdoes,and everythingitdoes,beforeyouemployit. Compartmentalize.RunningmultipleapplicationserversDNS,mail,web, ActiveDirectoryonacommonserverisarecipeforanincident.Operating databaseserverscontainingsensitiveinformationandpublicserversona commonLANsegmentisacompanionrecipeforanincident.Createsecurity domainswithinyournetworkandseparatethesewithsecuritysystems(e.g., firewalls)sothatsuccessfulattacksagainstoneserverorservicecanbe contained. RoutineSelfexamination.Performregularnetwork,host,andweb vulnerabilityandpenetrationtests.Ifpossible,haveanindependent, experienced,andcertifiedpartyperformasecurityorvulnerability assessmentonsystemsthatsupportyourwebsite. Implementbestpracticesforingressandegressfirewallfiltering.Restrict trafficflowatfirewallsastightlyaspractical.OnlyallowaccesstoTCPor UDPportswhereyourauthorizedservicesarelistening,andfurtherrestrict flowstotheIPaddressesofthesystemsonwhichyouarehostinglistening services.Restrictoutboundtrafficflowsfromserversaswell.Wherepossible, onlyallowserverstoestablishoutboundconnectionstoauthorizedservices An APWG Industry Advisory
http://www.apwg.org info@apwg.org

16

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

h)

ondesignatedexternalhosts. Logging,eventreporting,loganalysis,intrusiondetection.Logtraffic,OS, andwebapplicationeventsattherightlevelofdetail,takinginto considerationperformance,costandtheutilityofinformationcollected. Collectlogandeventrecordsatasecurelogserver.Regularly(andsecurely) archivelogfilesandroutinelyanalyzetrafficandeventlogsforunusualor anomalousaccessandactivities. Proactivesecuritymeasures.Complementaggressiveloggingandanalysis withrealtimenetwork,host,andwebintrusiondetectionsystems. Stayinformed.Operatingsystemandwebapplicationvulnerabilitiesare discoveredandexploitedonanalmostdailybasis.Subscribetoa vulnerabilitynotificationserviceofferedbyregionalCERTs,SANS, SecurityFocus,andothersecurityservicesorganizations.(Formore information,seetheReferencessection).

i) j)

Conclusions
Anysecurityincidentisdisturbing.Websitephishingattackscanbefrustrating, costly,andembarrassingexperiences.Thethreatoftheseattackscanbegreatly reducedbyimplementingappropriatesecuritymeasuresaloneorwiththe assistanceandcooperationofwebhostingandInternetserviceproviders.Equally important,thecostandembarrassmentofanactualsecurityincidentcanbe greatlyreducedbycarefullyplanningforandimplementingappropriateincident responseproceduressuchasthosedescribedinthisdocument. References: AntiPhishingWorkingGroup(APWG),http://www.apwg.org Backtrack,http://www.remote-exploit.org/backtrack.html CERTCyberSecurityAlerts,http://www.uscert.gov/cas/signup.html CenterforInternetSecurity,http:///www.cis.org InternetCrimeComplaintCentre,http://www.ic3.gov MicrosoftBaselineSecurityAnalyzer, http://www.microsoft.com/technet/security/tools/mbsahome.mspx Modsecurity,http://www.modsecurity.org/ MyNetwatchmanSecChecktool,http://mynetwatchman.com/tools/sc/ OpenSoureTripwire,http://www.tripwire.org PhishTank,http://www.phishtank.com/ PhishingReportingNetworks,http://www.phishreport.net Robocopy,http://technet.microsoft.com/en-us/library/cc733145.aspx SANSConsensusSecurityAlert,http://www.sans.org/newsletters/risk/ 17 An APWG Industry Advisory
http://www.apwg.org info@apwg.org

PMB 246, 405 Waltham Street, Lexington MA USA 02421

What to Do if Your Web Site Has Been Hacked by Phishers

January 2009

SecuniaPersonalSoftwareInspector(PSI), http://www.secunia.com/vulnerability_scanning/personal/ SecurityFocusNewsletter,http://www.securityfocus.com/newsletters SourceForge(OpenSourceRepository),http://www.sourceforge.net OpenWebApplicationSecurityProject(OWASP), http://www.owasp.org/index.php/Main_Page

An APWG Industry Advisory

http://www.apwg.org info@apwg.org

18

PMB 246, 405 Waltham Street, Lexington MA USA 02421