Identifying vulnerable websites by analysis of common strings in phishing URLs

It has been shown that most phishing sites are created by means of a vulnerable Web server being re-purposed by a phisher to host a counterfeit Website without the knowledge of the server´s owner. In this paper, we examine common vulnerabilities which allow these phishing sites to be created and suggest a method for identifying common attack methods, as well as, help inform Webmasters and their hosting companies in ways that help them to defend their servers. Our method involves applying a longest common substring algorithm to known phishing URLs, and investigating the results of that string to identify common vulnerabilities, exploits, and attack tools which may be prevalent among those who hack servers for phishing. Following a case study approach, we then select four prevalent attacks that are suggested by our methodology, and use our findings to identify the underlying vulnerability, and document statistics showing that these vulnerabilities are responsible for the creation of phishing Websites. Digging further, we identify attack tools created to exploit these vulnerabilities and how they are detected by current intrusion detection signatures. We suggest a means by which this work could be integrated with intrusion detection systems to allow Webmasters or hosting providers to reduce their vulnerability to hosting phishing Websites.