It’s a great convenience for Web designers to be able to test pages before they go live through a temporary Web page. However, researchers at Securi Inc. warn that if the organization’s service provider doesn’t properly configure temporary URLs it becomes a vulnerability phishers can exploit.
As a blog published earlier this month by Securi Inc.’s Denis Sinegubko points out, because security vendors blacklist problem URLs as soon as they find them, people behind phishing attacks have to purchase many domains — or compromise many websites — so that they can point their phishing URLs to new domains.
What some are now doing is taking advantage of loose security practices at hosting providers.
Often ISPs will give subscribers a special URL for testing a site before pointing their domain to the new server. The temporary URL would look like this: http://server-name/~username/ where server-name is a web host’s own domain name, or IP address of the server, and username is the name of the user’s account, “But some hosting providers (including some really big ones) don’t configure these temporary URLs properly,” writes Sinegubko. “Instead of making them work only if you use a special server’s domain name or a naked IP address, some hosting providers allow the use of ANY domain name that resolves to the server’s IP address.”
Attackers can register (or hack) a cheap account on a shared server, place malicious files in various subdirectories of the account, compile a list of third-party sites hosted on the same server — which could be hundreds of domains — for exploitation for free. They can frequently change the domains without disclosing the real location of the malicious files and without having to move their files to different places when the domains get blacklisted.
Sinegubko urges administrators to check if their site is on a shared server. If so, lean the provider’s format for temporary URLs and check to see if you can open your site using your own domain name – http:// your-site-domain. com/~yourusername. On some servers you might need to also specify the site folder if you have several sites under the same account, such as http:// your-site-domain. com/~yourusername/your-site-directory/.