Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing

  • Tyler Moore
  • Richard Clayton
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5628)


Attackers compromise web servers in order to host fraudulent content, such as malware and phishing websites. While the techniques used to compromise websites are widely discussed and categorized, analysis of the methods used by attackers to identify targets has remained anecdotal. In this paper, we study the use of search engines to locate potentially vulnerable hosts. We present empirical evidence from the logs of websites used for phishing to demonstrate attackers’ widespread use of search terms which seek out susceptible web servers. We establish that at least 18% of website compromises are triggered by these searches. Many websites are repeatedly compromised whenever the root cause of the vulnerability is not addressed. We find that 19% of phishing websites are recompromised within six months, and the rate of recompromise is much higher if they have been identified through web search. By contrast, other public sources of information about phishing websites are not currently raising recompromise rates; we find that phishing websites placed onto a public blacklist are recompromised no more frequently than websites only known within closed communities.


Search Engine Vulnerable Host Internet Host 17th USENIX Security Symposium SIGCSE Technical Symposium 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security economics and the internal market. European Network and Information Security Agency (ENISA) (2008),
  2. 2.
    Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)CrossRefGoogle Scholar
  3. 3.
    Anti-Phishing Working Group,
  4. 4.
    Artists Against 419,
  5. 5.
    Collins, M.P., Shimeall, T.J., Faber, S., Janies, J., Weaver, R., De Shon, M., Kadane, J.: Using uncleanliness to predict future botnet addresses. In: Proceedings of the ACM SIGCOMM Conference on Internet Measurement (IMC), pp. 93–104. ACM Press, New York (2007)CrossRefGoogle Scholar
  6. 6.
    Cult of the Dead Cow. Goolag Scanner Specifications (January 2008),
  7. 7.
    Damron, J.: Identifiable fingerprints in network applications. USENIX ;login 28(6), 16–20 (2003)Google Scholar
  8. 8.
    Dausin, M.: PHP File Include Attacks. Tipping Point (February 2008),
  9. 9.
    Day, O., Palmen, B., Greenstadt, R.: Reinterpreting the disclosure debate for web infections. In: 7th Workshop on the Economics of Information Security (WEIS) (2008)Google Scholar
  10. 10.
    Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of Internet miscreants. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 375–388 (2007)Google Scholar
  11. 11.
    Google Hacking Database,
  12. 12.
  13. 13.
    Higgins, K.J.: Phishers Enlist Google ‘Dorks’. DarkReading (March 2008),
  14. 14.
    LaCour, J.: Personal communication, March 28 (2008)Google Scholar
  15. 15.
    Lancor, L., Workman, R.: Using Google hacking to enhance defense strategies. In: Proceedings of the 38th SIGCSE Technical Symposium on Computer Science Education, pp. 491–495 (2007)Google Scholar
  16. 16.
    Long, J.: Google Hacking Mini-Guide. informIT (May 2004),
  17. 17.
    Mavrommatis, P.: Malware Reviews via Webmaster Tools (August 2007), malware-reviews-via-webmaster-tools.html
  18. 18.
    McAfee Inc. SiteAdvisor,
  19. 19.
    Moore, T., Clayton, R.: Examining the impact of website take-down on phishing. In: Anti-Phishing Working Group eCrime Researcher’s Summit (APWG eCrime), pp. 1–13. ACM Press, New York (2007)Google Scholar
  20. 20.
    Netcraft Inc. March 2008 Web Server Survey (2008),
  21. 21.
  22. 22.
    Provos, N., Mavrommatis, P., Rajab, M., Monrose, F.: All your iFrames point to us. In: 17th USENIX Security Symposium, pp. 1–15 (2008)Google Scholar
  23. 23.
  24. 24.
  25. 25.
    Thomas, R., Martin, J.: The underground economy: priceless. USENIX ;login 31(6), 7–16 (2006)Google Scholar
  26. 26.
    Watson, D., Holz, T., Mueller, S.: Know your Enemy: Phishing. The Honeynet Project & Research Alliance (May 2005),
  27. 27.
    Weaver, R., Collins, M.P.: Fishing for phishes: applying capture-recapture methods to estimate phishing populations. In: Anti-Phishing Working Group eCrime Researcher’s Summit (APWG eCrime), pp. 14–25. ACM Press, New York (2007)CrossRefGoogle Scholar
  28. 28.
    Yahoo! Inc. Yahoo! Search Web Services,

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Tyler Moore
    • 1
  • Richard Clayton
    • 2
  1. 1.Center for Research on Computation and SocietyHarvard UniversityUSA
  2. 2.Computer LaboratoryUniversity of CambridgeUK

Personalised recommendations