What to Do An

If Your Website APWG

Has Been Hacked Industry
by Phishers Advisory

Committed to Wiping Out

Internet Scams and Fraud

January 2009
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

OVERVIEW 3

WEB SITE PHISHING ATTACK SCENARIOS 4

IDENTIFICATION 6
REPORTING (NOTIFICATION) 8
CONTAINMENT 10
RECOVERY 13
FOLLOW-UP 15
CONCLUSIONS 17
REFERENCES 17

CorrespondentAuthorsContactData:
SuzyClarke,Suzy.Clarke@asb.co.nz
DavePiscitello,dave.piscitello@icann.org

Disclaimer:PLEASENOTE:TheAPWGanditscooperatinginvestigators,researchers,andservice
providershaveprovidedthismessageasapublicservice,baseduponaggregatedprofessional
experienceandpersonalopinion.Theserecommendationsarenotacompletelistofstepsthatmay
betakentoavoidharmfromphishing.Weoffernowarrantyastothecompleteness,accuracy,or
pertinenceoftheserecommendationswithrespecttoanyparticularregistrarsoperation,orwith
respecttoanyparticularformofcriminalattack.PleaseseetheAPWGwebsite
http://www.apwg.orgformoreinformation.Institutionalaffiliationsareprovidedfor
identificationpurposesanddonotnecessarilyrepresentinstitutionalendorsementofor
responsibilityfortheopinionsexpressedherein.

An APWG Industry Advisory 2

http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009
ContributingResearchers
PrincipalInvestigators:
JoeStSauver,PhD, UniversityofOregon RyanMacfarlane,FBI
SuzyClarke,ASBBank PaulLaudanski,Microsoft

PaulNankervis,NationalAustraliaBank

DavePiscitello,ICANN DavidZamler,FederationofSecurityProfessionals DarrenBilby,Google

Overview
Somephishersusecompromisedcomputerstohostmaliciousorillegalactivities,
includingidentitytheft,fraudulentfinancialactivities,aswellascollecting
personalinformationandbusinessidentitiesfromtheirvictimsforfutureuse.
Othersattackorhackintoandgainadministrativecontroloverthelegitimate
websites1ofbusinessesandorganizationsofallsizes.Suchhackedwebsites
disguisethebadactsthephishersperform.Moreimportantly,websitehackersare
fullyawarethatthewebsitestheyhackandownarereputablylegitimate.Law
enforcementandantiphishingrespondersrespectandoperateunderestablished
business,technical,andlegalconstraintswhentheyseektoremedyortakedown
hackedwebsites.Thesemeasuresprotectlegitimatewebsiteoperatorsbut
unfortunatelyservetheattackeraswellbyextendingthedurationoftheattack.

TheAntiPhishingWorkingGroup(APWG)offersthisdocumentasareference
guideforanywebsiteowneroroperatorwhosuspects,discovers,orreceives
notificationthatitswebsiteisbeingusedtohostaphishingsite.Thedocument
explainsimportantincidentresponsemeasurestotakeintheareasof
identification,notification,containment,recovery,restoration,andfollowupwhen
anattackissuspectedorconfirmed.

Thisdocumentservesaguidelineforwebsiteowners.Thelistofresponses
describehereisnotexhaustive.Weprovidealistofcomplementaryresourcesto
helpwebsiteownerslearnmoreabouteachrecommendedaction.Inseveralcases,
thedocumentmentionssoftwarethatawebsiteownermayfindusefulwhen
attemptingtoperformrecommendedactions.Thesoftwarelists,too,arenot
exhaustive.Theexamplesprovidedintheselistsarerepresentativeofaverybroad
setofcommercialandopensourceprogrammingsolutions.Websiteownersare
encouragedtoresearchandexperimentwithothersoftwareaswell.

Manyactionswillrequirebusiness,technical,andlegalexpertisethatarebeyond
thescopeofthisdocument.Websiteownersareencouragedtodiscusssuch
matterswithexpertsineachofthesedisciplines.

1
http://www.theregister.co.uk/2007/07/10/plug_and_play_phishing/

An APWG Industry Advisory 3

http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

Web Site Phishing Attack Scenarios

Awebsitephishingattackoftenbeginswhenaphisherbreaksintoorhacksa
reputablylegitimatewebsite.Byhackingawebsite,wemeanthattheattacker
gainscontrolofthecomputer(server)thathostsyourwebsiteandfindsawayto
eitheraddphishingpagestothewebsite,changethecontentofthewebsite,or
addsoftwareforexecutionordownloadtothewebsite.

Anexampleofaddingpagestothesiteiswhenthephishergainscontrolovera
legitimatewebsitelikewww.example.comandthenaddsanunauthorizedpagein
anobscuredirectorysuchaswww.example.com/~sneaky/.Thephishingemail
thelurethatdrawsavictimtothephishingsitemayuseanimageorhyperlink
todisguisethefactthatwhenthevictimattemptstovisitabank,anemerchant,or
anorganizationscustomerorIntranetportal,thevictimisreallyvisiting
www.example.com/~sneaky/stealyourID.html.Attackermaytakegreatpainsto
maketheunauthorizedpage(stealyourID.html)appearidenticaltothe
impersonatedwebpage.Thisdeceptionisintentionalandisdesignedtotrick
usersintoenteringsensitiveinformationsuchasuseraccounts,passwords,credit
cardnumbers,orotherpersonalinformation.

Thefollowingsequenceillustratesarepresentativehackedwebsiteresponse
scenario.

1. Athirdpartynotifieseitherthewebsiteoperatorordomainownerthatits
websiteiscompromised.Together,thepartiesattempttoverifythirdpartys
authenticitywhiletheyinvestigatetheclaim.

Alternatively,thewebsiteowneroroperatormaysuspectordiscoverthe
websitephishingattackthroughselfexaminationorwebsiteintrusion
monitoring.Inthiscase,theowneroroperatorinitiatewhatevercontainment
actionstheydeterminetobeappropriateandproceedtostep(3).(Seethe
sectionentitledContainmentforadditionalinformation.)

2. Thewebsiteownerreportstheincident.TheAPWGstronglyencourages
websiteownerstoreportthephishingURLtotheAPWGviaemailat
reportphishing@antiphishing.org.(SeethesectionentitledReportingfor
additionalinformation.)

3. Ifboththethirdpartyandtheclaimarelegitimate,thewebsiteowner
authorizescontainmentandthewebsiteoperatorinitiateswhatever

An APWG Industry Advisory 4

http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

containmentactionsthepartieshavedeterminedtobeappropriate.(Seethe
sectionentitledContainmentforadditionalinformation.)

4. Thewebsiteownerandoperatorinitiaterecoveryactions.Here,bothparties
assessthedamagetoidentifywhatdataandservicesmustberecovered.The
timelineassistspartiesindeterminingwhetherdatarecoveryisrequiredand
whetherthereisanyaccuratedataavailableforrecovery.(Seethesection
entitledRecoveryforadditionalinformation.)

5. Thewebsiteownerandoperatorinitiaterestorationactions.Here,efforts
focusonreturningthewebsitetofull,uncompromised,normalactivity.
(SeethesectionentitledRestorationforadditionalinformation.)

6. Thewebsiteownerandoperatorrevisittheincidenttostudyhowandwhy
theincidentoccurredtodeterminewhatadditionalmeasuresmightbetaken
toreducethepossibilityoffuture,similarincidents.(Seethesectionentitled
FollowUpforadditionalinformation.)

Note:(2)and(3)mayoccurinreverseorder,dependingontheorganizations
preparednessandhowitisstructured.Someorganizationsempowerwebsite
operatorstocontainwithoutpriorapprovalwhileothersdonot.

Manyorganizationsoutsourcewebsitehostingtoserviceproviders.Thirdparty
webhostingprovidersshouldhavetheirownproceduresfordealingwith
phishingsiteshostedontheirservers.Askyourhostingprovidertodiscussthese
procedureswithyoubeforeaneventoccurs.Allwebsiteownersshouldalsomake
certainthatthewebsitehostingprovideriscontractuallyobligatedtonotifythem
intheeventofahackedwebsiteincident,andbothpartiesshouldagreeona
commonsetandorderofresponseactionsinadvance.Ifyourwebsitehosting
providerindicatesitdoesnothaveproceduresinplacetodealwithwebsite
phishingattacks,pleasereferthemtothisdocument.

An APWG Industry Advisory 5

http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

Identification

Stealth,evasion,andcovertoperationaptlydescribehowphishersandother
attackerscompromiseandremotelyoperatesystemsthathostwebsites.

1. HowcanIknowifourwebsitehasbeenattacked?

Themostcommonform ofidentification(notice)includesThirdParty
Notifications.Youmayreceiveanoticebyphoneoremailfromanindividualor
organizationthatclaimsknowledgeofanattack.Obtainasmuchinformationfrom
thethirdpartyaspossible,including:

a) Thepersonsname
b) Nameoftheirorganization
c) Returncontactinformation(phone,email,postaladdress,organizationsweb
site)
d) Webpage(s),includingtheURL(link)thepartyallegestobeaphishwebsite
e) Natureofattack(attempttostealpersonalinformation,tocompleteabogus
creditcardtransaction,toobtainuseraccountcredentials,etc.)
f) Adescriptionofanymaliciouscontentthatappearstobedownloadablefrom
yourwebsite(e.g.,spyware)

Usethisinformationtoreporttheincidentinaccordancewithapredetermined
incidentreportingandresponseplan.(SeethesectionentitledReportingfor
additionalinformation).

2. CanItrustthirdpartynotifications?

No,theclaimmaynotbeaccurate.Whileanoticefromthirdpartywhosuggests
thatyourwebsitehasbeenhackedisunsettling,remaincalm.Besuspiciousifthe
partyrefusestoprovidetheabovementionedinformationtoyou.Donotbe
frightened,coerced,orotherwisesociallyengineeredintotakinganyactionthe
partyrecommendsbeforeyouinvestigatetheclaim.Attempttocorroborateall
contactinformationquicklyandbeforeyouescalatetheclaimthroughanincident
responseprocess.Forwardanycourtorder,criminalcomplaintorsubpoenato
yourownlegalcounselforreview.

An APWG Industry Advisory 6

http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

3. HowcanIidentifywebsitephishingattacks?

Organizationsthatproactivelymonitortheirwebsitescan(anddo)discoverweb
sitephishingattacks.Herearesomeexamplesofhowvariousproactive
monitoringcanhelpyouidentifyattacks:

a) Trafficmonitoring.Yourwebsitedevelopersoryourinformationtechnology
(IT)staffmaynoticeunusualaccesstoyourwebsite,unusualtrafficvolume
directedatyourwebsite,orunusualtrafficemanatingfromyourwebserver,
oranunusualnumberofrequestsfornonexistentURLs.Forexample,aweb
serverdevotedsolelytohostingwebpagesthatbegintotransmitthousandsof
emailmessagespersecondmeritsinvestigation.
b) Filesysteminspection.Throughroutineinspection,yourauthorizedstaff
mayidentifysuspiciousfiles,directories,orexecutableprograms;again,
imagineifyourstaffdiscoversadatabaseofcreditcardinformationonyour
webserverandnoneofthecustomersareyours.
c) Webserverconfigurationinspection.Throughroutineinspection,your
authorizedstaffcandetectunauthorizedorunintendedchangesinweb
serveroroperatingsystemconfigurations;forexample,imagineifyourstaff
discoversthatyourdedicatedwebserverishostingInternetRelayChat(IRC)
sessions.

Eventloggingandreportingsystemsareextremelyimportantsourcesfor
identifyingwebsiteattacks.Takeadvantageoffirewall,webserver,server
operatingsystem,andserverapplicationlogs.Theseoftencontaininformationthat
allowsdailyoperationsstafforincidentresponse(IR)teamstodeterminehowa
phishergainedunauthorizedaccesstoyoursystems.

Attackersarefullyawareoftheforensicvalueofeventlogs,soitisimportantthat
youtakemeasurestoprotectyourlogcollectionandreportingsystemfromattack.
Establishasecurearchivalandretrievalprocessforeventlogs.Inaddition,make
copiesoflogsfrombefore,during,andafteranincident.Thesemayprove
invaluableatalatertime,forexampleduringsubsequentinvestigationsintothe
incident. Larger organizations may wish to consider a centralized (networked)
logging system too. Centrally maintained logging may be less vulnerable to
destruction or manipulation by attackers than on system logs. (Seethesection
entitledFollowUpforadditionaldiscussion.)

An APWG Industry Advisory 7

http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

Recordthewebpage(s)orsuspiciousactivityorconfigurationandreportthe
incidentinaccordancewithapredeterminedincidentreportingandresponseplan.

4. Cansecurityassessmentshelpidentifywebsitephishingattacks?

Yes.Yourorganizationoryourwebsitehostingprovidershouldconsiderroutine
examinationsorscansofwebserversforsuspiciousorknownmalicious
programs,improperlypatchedcomponents,andconfigurationsthatdonotcomply
withapplicablesecurity(orregulatory)policies.Yourstaffcanperformasecurity
assessmentusingawebapplicationvulnerabilityscanner.Freeandopensource
examplesofsuchtoolsincludeBacktrack,HackerGuardian,Nessus,Nikto,and
Sandcat(Note:asearchenginequeryforwebapplicationscannerswillyield
multipletrusteddownloadsitesfortheseandsimilarapplications).Security
consultantsandauditorscanperformmoreexhaustiveassessmentsandcanbe
contractedtodosoonarecurringbasis.Yourstaffcanimproveantihackingand
securewebapplicationdesignandprogrammingbyregularlyperformingscans.

Acarefulsecurityassessmentshouldcomparethecontentonyourwebserver
againstknowntobecorrectversionsthecontentyouintendedtohost.Eyeballing
filesorcomparingfilesizesisnotsufficient:usechecksumsgeneratebyapplications
suchasOpenSourceTripwiretoassurethatfilesareidentical.Whenyouperform
suchassessments,generateadetailedreportthatcanbeusedinaccordancewitha
predeterminedincidentreportingandresponseplan.

Onceyoususpect,havediscovered,orbeennotifiedthatyourwebsiteishostinga
phishingsite,reporttheincident,inaccordancewithapredeterminedincident
reportingandresponseplan.

Reporting (Notification)

1. ShouldIreporttheincident?

Theexactreportingprocedureandthepartiestowhomaphishingwebsite
incidentaredisclosedmaybeinfluencedbybusiness,regulatory,andlegal
responsibilities.Aspartofanoverallsecuritystrategy,organizationsthatoperate
publicfacingwebsites(inparticular,thosethatcollectpersonal,financial,and
othersensitiveinformation)shouldconsultwithexecutives,communications
personnel(e.g.,publicrelationsdepartments),andlegalcounseltoaskthatthey
provideinputtotheincidentreportingproceduresthatspecificallyaddressweb
siteattacks.
An APWG Industry Advisory 8
http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

2. TowhomshouldIreportit?

Asyouprepareyourreportingprocedures,considerwhenandhowtoreportyour
incidentto:

a) Antiphishingnetworks
b) Antivirusandantimalwareorganizations
(Incaseswhereyoudiscovermaliciousexecutablesorscripts)
c) CERTorganizations
d) CommonVulnerabilityandexploit(CVE)disclosurelistadministrators(in
caseswhereyoudiscoveravulnerabilityorbugincommercialsoftware)
e) Customers
f) Lawenforcement,e.g.,throughtheInternetCrimeComplaintCenter1
g) Regulatorycomplianceagencies
h) Softwaredevelopers
(Incaseswhereyoudiscoverbugsincustomapplicationsoftwareor
webwaredevelopedexclusivelyforyourorganization)
i) Anyindividualororganizationdirectlyaffectedbythephishingattack,even
iftheydonotfitintooneoftheothercategorieslistedabove.
j) Thegeneralpublic

Someofthesenotificationswillnotalwaysbeapplicableorappropriatefora
particularincident.Ifyourwebsitebelongstoacorporation,anotforprofit
organization,agovernmentagency,oranyorganizationthatmustsatisfy
regulatorycompliancecriteria,youshouldreportawebsitephishingattackthat
resultsinamaterialbreachtoexecutivemanagementorinhouselegalcounsel.
Evidenceofawebserverbreachthathasdatabreachimplicationsinthecontextof
healthcare,privacy,orfinancialreportingregulationsmayinstigateafullreview
ofthecompromisedsystemtodeterminetheextentofcompromiseandalsoto
determinewhat,ifany,complianceviolationsmayhavecontributedtoorresulted
fromtheincident.

Managementandlegalcounselarebestsuitedtoprepareandcoordinateexternal
reportingandnotificationtoresponseteams,CERTS,regulatoryagencies,andlaw
enforcement.Communicationsdepartmentsshouldbeconsultedpriortocontacting
1
The Internet Crime Complaint Center (IC3, http://www.ic3.gov) provides a central
referring mechanism for cyber criminal complaints. IC3 accepts complaints from
Internet users and refers them to appropriate (local, state, federal and international)
law enforcement and regulatory agencies.

An APWG Industry Advisory 9

http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

customers,thepress,andgeneralpublic.Theyhavethetraining,skills,and
relationshipsneededtoeffectivelycommunicateinformationpertainingtoan
incident,andexperiencemanagingreactionstowhatmaybealarmingnews.

Havingwelldocumentedincidentreportingproceduresinplacetypicallyassures
thateveryoneintheorganizationunderstandsherroleinthereportingprocess.It
minimizesconfusion,delays,anderrorsinrespondingtoanincident;limitsworry
overembarrassmentandtarnishtobrand;anditexpeditescontainment,recovery,
andrestoration.

IncidentreportingproceduresmayrequirethatyoucontactyourITsupport,web
hostingprovider,andISPsothatallpartieswhoparticipateinprovidingor
supportingyourpublicwebpresenceareengagedintheresponse.Eachpartymay
havespecificactionstheyneedandexpectyoutotakeinadditiontothoseoutlined
inthisguide.Bepreparedtoprovideallrelevantinformation,suchaslogsfrom
yourwebserver,firewall,andoperatingsystem,aswellascopiesofthe
unauthorizedcontent,dates,andtimesthatyouweremadeawareoftheissue
(alsoknownasanincidenttimeline).Keeparecordofwhatinformationyou
provided,andtowhom.

Theseadministrativeactionshelpinformtheappropriatepeopleaboutthe
incidentsothatyoucanensureamoreunifiedresponse.

APWGencouragesyoutoreportthephishingsiteURLtotheAPWGviatheemail
addressreportphishing@antiphishing.org.Reportingtothisaddresswillcause
mostantiphishingorganizationstoreceiveanotificationofthephishingwebsite.
Securityproducts,e.g.,antiphishingtoolbars,willbeupdatedwiththeoffending
URL,thusofferingprotectiontothousands,ifnotmillionsofpotentialvictims.

Ifyoureunsureaboutwhomyoushouldreporttheincidentto,seekadvicefrom
inhouseorexternallegalcounselorprofessionalincidentresponseorganizations.

Containment

Considerthefollowingissuesifyouhavethenecessarylevelof(administrative)
accesstoyourwebsite.Ifyououtsourcewebhosting,discusscontainment
measuresinadvancewithyourwebsitehostingprovidertoassurethatyouand
yourproviderhavethesameresponsestrategyoryoumaywastetimeresponding
ontheflythatmightotherwisebespentminimizingdamageandloss.

An APWG Industry Advisory 10

http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

1. ShouldImakeacopyoftheunauthorizedcontent?

Generally,yes.Saveacopyofthephishingsitepagesandanyunauthorized
content,scripts,orexecutableprogramsyoudiscoverduringyouranalysis.These
willhelpwebsiteoperators,systemadministrators,and/oranIRteamtoverify
thatthecontentchangewasunauthorized,intentional,andmalicious.Theymay
alsohelptodeterminewhichvulnerabilityletthephishersalteryourwebsite.You
maywishtocopytheunauthorizedcontentassoonasyouisolateanddiscover
eachpage,executableprogram,etc.

If you or your hosting provider cannot obtain a disk copy of the system involved
in the phishing, consider creating a logical copy, i.e., copy the files and preserve the
folder structure. When creating a logical copy of files from the compromised
computers, use tools such as Robocopy or the Unix cp command.

Pleasenotethatcertaincontentinparticularcontentsuchaschild
pornographyposesseriouslegalimplicationsifplacedinthepossessionof
personswhoarenotlawenforcementagentsorarenotactingonbehalf(andwith
fullknowledge)oflawenforcement.Ifyoufindanyindicationthatillegalcontent
ispresentonyoursystem,donotmakecopies!Stopallinvestigativeactivities,
contacttheappropriatelawenforcementinyourjurisdiction,andfollowtheir
instructionsregardinghowtoproceed.

2. ShouldItakemysiteoffline(temporarily)?

Youmustdecideinadvancewhetheritsappropriatetosuspendservicetoyour
websiteforashortperiodoftimewhileyouattempttoinvestigatetheattack.
Makethisdecisionaspartofdefiningyouroverallincidentresponsehandling
strategy.Thisstrategypreventsadditionalvisitorsfromfallingvictimtothe
phishingscamandalsopreventsthephisher/attackerfromremotelycontrolling
yourwebsite.ConsultwithITandIRteamstodeterminewaystoshutdownyour
sitewithouttheriskoflosingtracesofthephishersactivities,andconsultwith
lawenforcementandapplicableregulatorycomplianceexpertstounderstandthe
implicationsoftemporarysitesuspension.

Youmaybeadvisedorchoosetoleavethesiteonlinelongenoughtoprovide
incidentresponseteamsandlawenforcementwithanopportunitytomonitorthe
phishersactivities.Ifyouchoosetostayonline,askyourIRteamorlaw
enforcementwhetheryoushouldchangeadministratoranduserpasswords
immediately.Someinvestigatorsmaywanttocontinuetomonitoranattackers
An APWG Industry Advisory 11
http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

useofacompromisedaccount.DiscusswithyourIRteamwhetherthephisher
appearssophisticatedenoughtohaveinstalledaprogramthatwillattemptto
deleteallevidenceofhisactivitiesupondetectionoflossofaccess.

3. ShouldIdisabletheunauthorizedcontent?

Ifyoudochoosetokeepyourwebsiterunning,removeordisableaccesstothe
unauthorizedwebpagesofthephishingsite.Makecopiesof,removeandsubmit
anymaliciouscontenttoanantivirusorantispywarevendor.Redirectanyvisitors
attemptingtovisitaphishedpagetoawebpageyouhavepreparedthatexplains
theyhavebeentrickedbyaphishingemailandthatyouhaveremovedthepage
theywereluredintovisiting.TheAPWGprovidesastandardyouvebeen
phished!redirectionpageandinstructionsforitsuseat
http://education.apwg.org/r/about.html.Thisstrategywillpreventfurtheruseof
thephishingsite,keepyourcustomersinformed,keepyourwebsiteonlineforreal
timeanalysis,andaffordyouadditionaltimetoperformcontainmentactions.

4. Arethererightandwrongwaystomakecopiesofcontent?

Howyoumakecopiesmatters.Filesystembasedcopies(e.g.,copyingfilesfrom
thecompromisedsystemtoremovablemediaortoanetworkfileshare)donot
havetheforensicandevidentiaryvalueasafull(sectorbysector)diskorpartition
copy.TheUnixddandWinDDutilities,NFGDump,andSelfImageareexamples
ofutilitiesyoucanusetocreatecloneimagesoftheentireharddiskand
partitionwhereyoudiscoveredthephishersunauthorizedcontent.Itisoften
useful(ornecessary)tocopycontentfromthecompromisedsystemusinga
bootablerescueCD(alsocalledLiveCD).ProgramssuchastheTrinityRescueKit,
Knoppix,Helixfromwww.efense.comorSLAXareexamplesofsuchutilities.
TheseandotherusefulforensicsoftwaretoolsarefreelyavailableundertheGNU
GPLorsimilaropensourcelicenses(asearchenginequerywillyieldmultiple
downloadsitesfortheseapplications,pleaseexercisecareandverifyboththetool
anditsorigin).

Savecopiesofyourwebsiteandalleventlogsthatmaybeusefulforincident
analysisoffline,e.g.,onaDVD,CD,oronincreasinglyaffordableportablehard
drivedevices.Include(digitallysigned)checksumsorhashesofyourwebpages
onthisDVD/CDsothatitiseasytodistinguishyourintendedandauthentic
contentfromunauthorizedsubstitutionsandadditionalcontent.Manyhash
generatorprogramsandfilesystemantitamperingsoftwareareavailableforthis
purpose.Considercreatingimagesofcompromisedwebserveroperatingsystem
andapplicationpartitionsforforensicanalysisandfollowup.
An APWG Industry Advisory 12
http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

Recovery

Recoverycanbeaslowandcostlyprocessifyouhavenotpreparedproperlyin
advance.Dontwaitforanincidenttoarchiveyourauthenticcontent.Routinely
saveandarchivecopiesofyourwebsiteandlogstoalocationoutsideoftheweb
root.Saveallconfigurationfilesandmaintainacarefulrecordofconfiguration
updates.Ifpossible,burnallthisdataalongwithacopyofyourwebsitetoaDVD,
CD,orcopytoaportableharddrivedeviceorbackupsystem.

Considerroutinelycreatinganexactcopyofyourwebsiteforbackuppurposes.In
additiontoarchivingyourcontent,createimagesofwebserveroperatingsystems
andapplicationpartitionsaswell.Thesecanbeespeciallyhelpfulinrestoring
systemstoaprevious,knownsecurityprofile;forrestoringsecurityconfiguration
files;andforrestoringoperatingsystemstoaknownpatchlevelandknownsetof
testedandapprovedpatchesandhotfixes.

Periodicallyorroutinelyrestorefilesfromarchivedmediatomakecertainthat
yourbackupprocedures,media,anddevicesareinworkingorderandthatthe
backupsyoumakedoindeedrestoreyourwebsitetothestateyouintendedwhen
designingtheprocedure.Therestoreoperationsdescribedbelowarebest
performedoffline,usinglocaladministrationonasecurednetwork(e.g.,from
behindafirewall).

1. ShouldIrestorefrombackuporrebuildfromscratch?

Theonlywaytoensurethatyourserversarecleanistorebuildfromoriginal
installmediaortodoanOSrestorefromknowngoodbackupsinofflinemode,as
recommendedabove.(Ifyoucannotrebuildorrestoreoffline,dosoonlinebut
behindafirewall).Priortorestoringfromabackuporrebuilding,youmust
determinewhenandhowthewebsitewascompromised.Knowingwhenthe
compromiseoccurrediscriticalbecausethisidentifiesthelastknowngoodbackup
ofyourcontentandotherrecoveryimages.Whenalsoestablishesapointintime
afterwhichallarchivesofyourwebsitemustbetreatedassuspect.Thesemaybe
relevanttoanyforensicinvestigationyouconductforthisincident.

Determininghowyoursystemswerecompromisedbeforeyourebuildorrestoreis
criticallyimportant.Thephisherdiscoveredavulnerabilityaconfigurationerror
orsoftwarebugandexploitedthistoobtainadministrativeaccesstothe
system(s)thathostyourwebsite.Ifyoudonotcorrectthisvulnerability,the
An APWG Industry Advisory 13
http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

phisheroranotherattackerwillinvariablyexploititagain.

2. WhenshouldIupdatemysoftwareandcheckmyconfiguration?

Whenyourestore,youreturnyourwebsitetoaknowngoodstate,butyouare
alsogoingbackintime.Itispossiblethatpatches,securityupdates,and
configurationchangeswereintroducedduringtheinterimbetweenthecurrent
dateandthedateofyourrestoreimages.Ifyouarerebuildingfromoriginal
mediae.g.,Windows2003Server,OpenBSD,orLinuxinstallationCDsitis
evenmorelikelythatyourinstallationmediaaremissingcriticalupdatesthatwere
releasedafteryouobtainedthemedia.Beforeyoureturnyourwebsitetoa
productionenvironment,updateallofyoursoftwaretothelatestversionsand
installallrelevantpatchesandhotfixes.Thisincludespatchingoperatingsystems,
thirdparty,andcustomapplicationsthatyoumayhaveinstalledonyoursystems.

ItisextremelyimportantthatyouverifythatyourwebserverOSandapplications
areconfiguredproperly.Duringtherestoreprocess,youmayinstalladefault
configuration(commonwhenyourebuildfromscratch)oraconfigurationthat
youhadmodifiedsubsequenttothedateofyourrestoreimages.Performa
securityassessmenttoverifythattherestoredsystemisconfiguredcorrectly(and
securely)beforeyoureturnthewebsitetoaproductionenvironment.

3. ShouldIchangeallmypasswords?

Whenyouareconfidentthatyouhaverestoredyourwebsitetoanauthenticand
normaloperatingstate,thatyouhaveinstalledallnecessarysoftwarepatchesand
hotfixes,andafteryouhavetakenmeasurestomitigatethevulnerabilitiesthe
phisherexploited,changeallthepasswordsusedtoaccessaccountsonthehitherto
compromisedsystem(s).Thephishersmayknowthecurrentpasswords.Itis
importanttoacknowledgethatevencompetentusersandadministratorsusethe
samepasswordonmultiplesystems(somebusiness,somepersonal,andsome
public!),soconsiderwhetheritisappropriatetoperformanextensivepassword
resetprocedure.Someorganizationsmayalsowanttoconsiderthemeritof
implementingmultifactorauthentication,e.g.,ahardwarecryptographictoken,to
makeloginprocessesmoresecure.

Changingpasswordsonaregularbasis(e.g.,every30days)isconsideredagood
operationalpracticeingeneralandanessentialpracticeforwebandsystem
administrators.Incidentsraiseawarenessoflaxpracticesandcreateincentivesto
improvebothsecuritybaselinesandroutinemaintenanceschedules,sotakethis

An APWG Industry Advisory 14

http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

opportunitytodefinearigorouspasswordsecuritypolicythatnotonlyenforcesregular
passwordchanges,butminimumlength(e.g.,8characters)andcomplexitycriteria(e.g.,
passwordmustcontainupperandlowercaseletters,numbers,andspecialcharacters).
Whileyouarefocusedonpasswordmanagement,makesurethatallformsofremote
authenticationandloginsareperformedoverencryptedconnections.

Unlessotherwisedirectedbyaforensicsteamorlawenforcement,change
passwordsimmediatelyandthenagainonceyoubelieveyouhavecompleted
remediationandhaverestoredyoursite.Thissignificantlyreducestherisk
anattackerwillcontinuetouseyouraccountwhileyouareattemptingto
remediate.

Follow-up

Organizationsbenefitfromapostmortemanalysisofanincident.Duringthis
analysis,studytheentirechronologyofeventsleadingto,during,andfollowing
thewebsitephishingattack.

1. WhatlessonshaveIlearned?

Duringthefollowupprocess,ask,WhatwouldIdodifferentlynexttime?and
WhatprocesseswouldIchangenowtoavoidasimilarsituationinfuture?as
wellasanysimilarlytoughquestionsyouneedtoanswer.

Gatherwebsiteowners,operators,serviceproviders,ITandIRteamstoshare
informationabouttheincident.Taketimetofamiliarizeallpartieswiththe
anatomyoftheattack.Identifycharacteristicsoftheattackthatmightbeusefulin
earlydetectionoffuture,similarattacks.Identifysoftware,configuration,and
operationalchangesthatareconsideredappropriateandnecessarytoprevent
similarattacksinthefuture.

2. HowcanIdobetter?

Websitesareprimetargetsforphishers.Considerthefollowinglistof
recommendedpracticesforminimizingawebsitesvulnerabilitytoattackby
phishers.

a) ServerOShardening.Hardeningisaprocessofsecuringanoperating
systemsothatitisdifficulttoattack.Usecommercialandopensource
vulnerabilityscannersandsecuritybaselineanalysistoolstoidentify
An APWG Industry Advisory 15
http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

unnecessaryservices,accounts,andimproper(exploitable)configuration
settings.TheCenterforInternetSecurityoffersanalysistoolsandsecurity
templatesforcommercialandopensourceoperatingsystemscommonlyused
forwebserverhosting.
b) Webapplicationhardening.Webapplicationhardeningisaprocessof
securingwebserverapplicationsoftware(MicrosoftIIS,Apache,etc.),web
applicationsandscripts,anddynamiccontentagainstattacks.Again,use
commercialandopensourcewebvulnerabilityscannerstoidentifyimproper
configurationsettingsandexploitablecontent.Considerusingacommercialor
opensourcewebapplicationfirewallsuchasModSecurityprovideinline,real
timeexaminationofincomingwebtrafficforattackpatternsandanomalies.
c) Patchmanagement.Maintaincurrentpatchlevelsonalloperatingsystems
andapplicationsusedforyourwebsite.
d) Secureprogramming,safescripting.Donotuseexecutableprograms
withoutverifyingtheauthenticityandtrustworthinessofthedeveloperand
theintegrityofthecodeitself.TheOpenWebApplicationSecurityProject
(OWASP)isausefulsourceforlearningaboutsecureprogrammingandsafe
scripting(formoreinformationonOWASP,seetheReferencessectiononpage
17).Onlyuseexecutableprogramsfromtrustedcommercialvendorsand
trustedopensourcedeveloperswhoseworkproductsaretypicallyMD5
hashedanddigitallysigned.Donotuseeventhemosttrivialscriptswithout
reviewingthesource:becertainyouknowexactlywhatthescriptdoes,and
everythingitdoes,beforeyouemployit.
e) Compartmentalize.RunningmultipleapplicationserversDNS,mail,web,
ActiveDirectoryonacommonserverisarecipeforanincident.Operating
databaseserverscontainingsensitiveinformationandpublicserversona
commonLANsegmentisacompanionrecipeforanincident.Createsecurity
domainswithinyournetworkandseparatethesewithsecuritysystems(e.g.,
firewalls)sothatsuccessfulattacksagainstoneserverorservicecanbe
contained.
f) RoutineSelfexamination.Performregularnetwork,host,andweb
vulnerabilityandpenetrationtests.Ifpossible,haveanindependent,
experienced,andcertifiedpartyperformasecurityorvulnerability
assessmentonsystemsthatsupportyourwebsite.
g) Implementbestpracticesforingressandegressfirewallfiltering.Restrict
trafficflowatfirewallsastightlyaspractical.OnlyallowaccesstoTCPor
UDPportswhereyourauthorizedservicesarelistening,andfurtherrestrict
flowstotheIPaddressesofthesystemsonwhichyouarehostinglistening
services.Restrictoutboundtrafficflowsfromserversaswell.Wherepossible,
onlyallowserverstoestablishoutboundconnectionstoauthorizedservices

An APWG Industry Advisory 16

http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

ondesignatedexternalhosts.
h) Logging,eventreporting,loganalysis,intrusiondetection.Logtraffic,OS,
andwebapplicationeventsattherightlevelofdetail,takinginto
considerationperformance,costandtheutilityofinformationcollected.
Collectlogandeventrecordsatasecurelogserver.Regularly(andsecurely)
archivelogfilesandroutinelyanalyzetrafficandeventlogsforunusualor
anomalousaccessandactivities.

i) Proactivesecuritymeasures.Complementaggressiveloggingandanalysis
withrealtimenetwork,host,andwebintrusiondetectionsystems.
j) Stayinformed.Operatingsystemandwebapplicationvulnerabilitiesare
discoveredandexploitedonanalmostdailybasis.Subscribetoa
vulnerabilitynotificationserviceofferedbyregionalCERTs,SANS,
SecurityFocus,andothersecurityservicesorganizations.(Formore
information,seetheReferencessection).

Conclusions

Anysecurityincidentisdisturbing.Websitephishingattackscanbefrustrating,
costly,andembarrassingexperiences.Thethreatoftheseattackscanbegreatly
reducedbyimplementingappropriatesecuritymeasuresaloneorwiththe
assistanceandcooperationofwebhostingandInternetserviceproviders.Equally
important,thecostandembarrassmentofanactualsecurityincidentcanbe
greatlyreducedbycarefullyplanningforandimplementingappropriateincident
responseproceduressuchasthosedescribedinthisdocument.

References:
AntiPhishingWorkingGroup(APWG),http://www.apwg.org
Backtrack,http://www.remote-exploit.org/backtrack.html
CERTCyberSecurityAlerts,http://www.uscert.gov/cas/signup.html
CenterforInternetSecurity,http:///www.cis.org
InternetCrimeComplaintCentre,http://www.ic3.gov
MicrosoftBaselineSecurityAnalyzer,
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Modsecurity,http://www.modsecurity.org/
MyNetwatchmanSecChecktool,http://mynetwatchman.com/tools/sc/
OpenSoureTripwire,http://www.tripwire.org
PhishTank,http://www.phishtank.com/
PhishingReportingNetworks,http://www.phishreport.net
Robocopy,http://technet.microsoft.com/en-us/library/cc733145.aspx
SANSConsensusSecurityAlert,http://www.sans.org/newsletters/risk/
An APWG Industry Advisory 17
http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421
 What to Do if Your Web Site
Has Been Hacked by Phishers

January 2009

SecuniaPersonalSoftwareInspector(PSI),
http://www.secunia.com/vulnerability_scanning/personal/
SecurityFocusNewsletter,http://www.securityfocus.com/newsletters
SourceForge(OpenSourceRepository),http://www.sourceforge.net
OpenWebApplicationSecurityProject(OWASP),
http://www.owasp.org/index.php/Main_Page

An APWG Industry Advisory 18

http://www.apwg.org info@apwg.org
PMB 246, 405 Waltham Street, Lexington MA USA 02421