To view the full article on Troy Hunts website, please click here

Here’s something I hear quite a bit when talking about security things:

Our site isn’t a target, it doesn’t have anything valuable on it

This is usually the retort that comes back in defence of some pretty shady practices and in the mind of the defendant, it’s a perfectly reasonable position. They don’t collect any credentials, they don’t have any payment info and in many cases, the site is simply a static representation of content that rarely changes. So what upside is there for an attacker?

Reputation. More specifically, a non-negative reputation because that’s a valuable thing to attackers wanting to mount a phishing campaign. This happens on an alarmingly regular basis and there was a perfect illustration of precisely this when it was discovered that spammers were hosting files on Equifax’s website (every time we thought it couldn’t get any worse…). This subheading within the piece describes precisely what the attraction is:

Spammers Crave Legitimate Domains

I’ll come back to illustrating the value proposition of this a little later on but for now, I want to share a collection of examples I’ve been saving over the last few months. What follows are all phishing emails which made their way through Microsoft’s Outlook.com filters and landed in my inbox. For example, this one suggesting that I needed to upgrade my account:

Looks legit, nice work on the “Microsof” spelling too guys! Ok, it actually looks terrible but the phishing page it then links to is pretty convincing:

Here’s the real point of this post though: note the domain in the image above now look at the actual legitimate website it sits within:

It’s a normal, garden variety website. Pretty rudimentary, running on WordPress and very possibly using any number of plugins which have had serious security risks in the past. It’s the sort of site people think doesn’t pose any upside to an attacker, yet here we are.

Another phish for Microsoft credentials which again, made it directly into my inbox was this one:

It displays many of the hallmarks of a phishing attack including establishing a sense of urgency, providing a call to action and attempting to create an air of authenticity. The text “This message is from a trusted sender” you see in the header is the name of the recipient and that same text in the body of the email is nothing more than stylised HTML.

It links through to a similarly convincing phishing page:

This page happily loaded through my ISP and through Chrome’s anti-phishing protection because the site was yet to be flagged as malicious. Once I stripped off the path, here’s what was on the site:

Nobody ever suspects daffodils! Chrome certainly didn’t but if you try going to that site now, you’ll have a very different experience. Now I doubt the Daffodil Excursion website ever had much going on for it traffic wise, but it’s value proposition was that it didn’t have a negative reputation!

Another Microsoft phish came through which looked particularly convincing:

And once again, served up a pretty slick looking phishing page:

Which, per the theme of this post, is actually a perfectly legitimate website for a club in Northern Ireland:

For a change of pace from Microsoft phishes, a Netflix one came through:

This eventually bounced me over to this page:

You’ll see this is on the domain awpaugp250.siterubix.com which is now disabled and would originally have been provisioned as a site built on the SiteRubix service. That’s not the interesting bit here, it’s that the original email click went through to customers.easy.net.gr/xad/:

So, you see the pattern: domains with non-negative reputations are valuable – that’s the attraction here and it’s just as attractive whether a site is collecting valuable user credentials or posting photos of daffodils! Every site has something valuable they need to protect and that’s their reputation. Let that go, and the only thing you’re left with is those last 4 screen shots above.

Credit: Troy Hunt