In this section

• Home
• Security
• SophosLabs blog
• 2007
• 04

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

27 April 2007 16:10 GMT

Hop, Hop, Phish

An increasing volume of web-based malware campaigns use compromised legitimate sites in their infection mechanisms. The technique is very common in phishing as well of course. As an example, one seen today uses two compromised sites.

Firstly, the fake login page is hosted on a compromised construction site based in the US. The hackers have simply dropped a single HTML file (postinfo.html) to that machine containing a simple redirect:


<meta content="0;url=http://(ip_address)/.www.keypointcu.com/">


The server redirected to is another legitimate box, this time in Chile! This has been compromised and is now serving up the fake login page used in the phishing attack.

Fraser Howard, SophosLabs UK

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot