Back to Learn

Phishing Attacks via Websites | NOC.org

How Phishing Pages End Up on Legitimate Websites

Phishing is the practice of creating fraudulent web pages that impersonate trusted brands to trick users into revealing sensitive information such as login credentials, credit card numbers, or personal data. While phishing is often associated with suspicious-looking domains, a significant portion of phishing content is hosted on compromised legitimate websites. Attackers target real websites because the existing domain reputation helps their phishing pages bypass email filters, browser warnings, and URL blocklists.

When an attacker compromises a website, they upload phishing kits, which are pre-built packages containing all the files needed to replicate a targeted brand's login page. These kits are placed in subdirectories that the site owner is unlikely to inspect, such as deep within uploads folders, cache directories, or randomly named paths. The legitimate site continues to function normally while the phishing pages operate silently alongside it.

Anatomy of a Website-Based Phishing Attack

Step 1: Compromise the Host Site

Attackers gain access to the target website through the same vectors used for other forms of website malware: vulnerable plugins and CMS components, stolen FTP or admin credentials via brute force attacks, SQL injection, or insecure file upload forms. Automated tools scan millions of websites looking for known vulnerabilities, and compromised sites are added to lists that are sold or shared in underground forums.

Step 2: Deploy the Phishing Kit

A phishing kit is a ZIP archive containing HTML, CSS, JavaScript, and sometimes PHP files that replicate the appearance of a legitimate login page. Popular targets include Microsoft 365, Google Workspace, banking portals, PayPal, Apple ID, and social media platforms. The kits are often sophisticated, including responsive design, proper branding assets, and even form validation that mimics the real service.

Modern phishing kits frequently include advanced features:

  • Real-time credential forwarding: Stolen credentials are sent to the attacker via email, Telegram bot, or posted to an external server immediately upon submission.
  • Two-factor bypass: Some kits act as reverse proxies, relaying the victim's credentials to the real service in real time, capturing the 2FA token as the victim enters it, and using it before it expires.
  • Geofencing: The phishing page only displays for victims in targeted countries or regions, showing a 404 page to everyone else to avoid detection.
  • Bot detection: Anti-analysis features detect security scanners, headless browsers, and known IP ranges belonging to security companies, serving benign content instead.

Step 3: Distribute the Phishing URL

Once the phishing page is live on the compromised site, the attacker distributes the URL through mass email campaigns, SMS messages (smishing), social media posts, or messaging apps. The emails are crafted to create urgency, such as claiming the victim's account has been locked, a payment has failed, or suspicious activity has been detected. Because the URL points to a real domain with a valid SSL certificate, many victims and even some security tools fail to recognize it as malicious.

URL Masking Techniques

Attackers use various techniques to make phishing URLs appear legitimate:

  • Subdirectory hiding: Placing phishing files deep in nested directories, such as /wp-content/uploads/2024/01/images/secure/login/, makes the URL look like it belongs to the site's normal file structure.
  • URL shorteners: Services like Bitly or TinyURL hide the actual destination, and the short URL itself reveals nothing about the phishing page.
  • Open redirects: Exploiting redirect vulnerabilities on trusted domains (such as trustedsite.com/redirect?url=phishing-page) makes it appear the link goes to the trusted domain.
  • Homograph attacks: Using internationalized domain names (IDN) with characters that visually resemble Latin letters, such as using Cyrillic "a" in place of Latin "a", to register domains that look identical to legitimate ones.
  • Subdomain abuse: Creating subdomains like microsoft-login.compromisedsite.com to add apparent legitimacy.

Credential Harvesting

The core purpose of most phishing pages is credential harvesting. When a victim enters their username and password into the fake login form, the data is captured and sent to the attacker. The most common harvesting methods include:

  • PHP form handlers: A server-side script receives the POST data, logs it to a file or sends it via email, then redirects the victim to the real login page. The victim assumes they mistyped their password and logs in normally, never realizing their credentials were stolen.
  • JavaScript exfiltration: Client-side scripts capture form input on every keystroke and send it to an external server via AJAX requests or image pixel tracking, sometimes even before the form is submitted.
  • Man-in-the-middle proxying: Advanced kits like Evilginx and Modlishka operate as transparent proxies between the victim and the real service, capturing credentials and session tokens in real time. This defeats most forms of two-factor authentication.

Brand Abuse and Impact

The brands most frequently targeted by phishing attacks are those with large user bases and valuable accounts. Microsoft, Google, Facebook, Apple, and major banks consistently top the lists. For the compromised host site, the consequences are severe:

  • Blacklisting: Google Safe Browsing and other blacklist services will flag your domain, displaying warnings to all visitors, not just those accessing the phishing page.
  • Email deliverability: Your domain may be flagged as a phishing source, causing all emails from your domain to be blocked or sent to spam.
  • Legal liability: Hosting phishing content, even unknowingly, can expose you to legal action from the impersonated brands and affected users.
  • SEO damage: Search engines may penalize or deindex your site while it hosts malicious content.
  • Hosting suspension: Many hosting providers will suspend accounts found hosting phishing content, taking your entire site offline.

Detection Methods

Detecting phishing pages on your website requires proactive monitoring:

  • File integrity monitoring: Track all file changes on your server. New files appearing in unexpected locations, particularly HTML and PHP files in upload directories, are strong indicators of phishing kit deployment.
  • Google Search Console: The Security Issues report will flag detected phishing pages. Enable email alerts so you are notified immediately.
  • Web application firewall logs: A WAF can detect and block many of the exploitation techniques used to upload phishing kits. Reviewing WAF logs reveals attack attempts even when they are blocked.
  • External URL monitoring: Services that monitor phishing databases (PhishTank, OpenPhish, APWG) can alert you if your domain appears in reported phishing URLs.
  • Server log analysis: Look for unusual POST requests to paths you do not recognize, high volumes of traffic to deep subdirectories, and access patterns indicating automated phishing kit management.

Prevention

Preventing your site from being used as a phishing host follows the same principles as preventing any website compromise:

  • Keep all CMS software, plugins, and themes updated to patch known vulnerabilities.
  • Use strong, unique passwords and enforce two-factor authentication on all admin accounts.
  • Restrict file upload capabilities and disable PHP execution in upload directories.
  • Deploy a cloud-based WAF to block exploitation attempts before they reach your server.
  • Implement Content Security Policy (CSP) headers to limit what external resources your pages can load.
  • Monitor file changes and set up alerts for new files created in web-accessible directories.
  • Regularly scan your site with external security tools to catch infections early.

Summary

Phishing attacks hosted on compromised websites are a growing problem because they leverage the trust and reputation of legitimate domains. Attackers deploy sophisticated phishing kits that can bypass two-factor authentication, evade security scanners, and harvest credentials in real time. For site owners, the consequences of hosting phishing content include blacklisting, legal liability, and reputational damage. Proactive security measures, including regular software updates, strong authentication, file integrity monitoring, and a web application firewall, are essential to prevent your site from becoming a phishing platform.

Protect your website from being exploited for phishing and other attacks. See NOC's pricing plans to find the right security solution for your site.

Improve Your Websites Speed and Security

14 days free trial. No credit card required.

Get Started