Out-of-Date Software Holds the Door Open for Phishers

Share Article

Lazy,incompetent or unaware website administrators who do not keep software packages updated are providing phishing gangs with an open invitation. Envisional is now detecting hundreds of phishing attacks a month using compromised "zombie" machines, some linked with religious fundamentalists and many directly caused by companies using out-of-date software. Major US and UK banks, including Bank of America and LloydsTSB, have been among the many recent victims of these attacks.

Websites using software packages that have not been updated are providing easy targets for aggressive phishers, some of them potentially linked to religious fundamentalists, according to Envisional (http://www.envisional.com), a leading Internet intelligence company.

Envisional's analysts claim 70% of today's phishing attacks are hosted on "zombie" computers - ordinary business or home computers that have been hijacked by hackers and phishers for use in criminal activity. In many cases, the machines are compromised by Trojan horse programs that are downloaded in spam emails or simply by visiting infected websites.

Many websites use out-of-date software - for creating bulletin boards and photo galleries, for example - with gaping security holes. These flawed and obsolete programs offer a warm welcome to hackers who know the tricks needed to break into them. The software vendors may have fixed these vulnerabilities long ago. But if unaware or incompetent site administrators have failed to update the software, no-one benefits from this added security.

Machines that were compromised like this frequently used to be "defaced" with a kind of online graffiti, either carrying political messages or just boasting that the site had been hacked.

These days, the hacking tends to be less obvious. Often, site owners have no idea that a site has been hacked, but there is new code running in the background that allows hackers to use the machine for phishing attacks or spamming.

"It is clear that just updating software more regularly could slash the hundreds of phishing attacks each month that use these zombie machines," says Envisional's Chief Executive Officer, Michael Wheatley.

For example, one attack detected by Envisional on 25 February was based on a hack that was widely reported in October, four months earlier. By letting his software trail so far behind the game, the site administrator allowed the crooks to break in at their leisure and use the site as the base for an attack on one of the largest US banks.

Similar attacks exploiting similar vulnerabilities and targeting at least three British banks have also been seen in the last few days.

In another recent incident, pages comprising a phishing attack on Bank of America were found on the same compromised website as a sinister hacker page, decorated with aggressive imagery and proclaiming "Everything for Islam".

Together with a similar attack targeting LLoydsTSB, this provides a surprising indication that at least some of the phishing gangs may have links with fundamentalists, in both these cases clearly from Turkey.

For more information on how out-of-date software opens the door to phishers and hackers, contact Ian Shircore or go to http://www.envisional.com.

About Envisional

Envisional creates new-generation Advanced Automated Artificial Intelligence (A3I) search technologies that allow businesses to discover items and information online that even unlimited human resources could never expose.

The company works with a client list studded with market leaders, including global banks, oil majors, Hollywood studios and food giants. It has used its patented technology to develop Internet intelligence systems that detect phishing and fraud, piracy, counterfeiting and trademark and intellectual property abuse. These systems work with images and with any language or alphabet, producing selective, priority-ranked results that allow fast, decisive action to be taken.    

Envisional is based in Cambridge, UK.


Ian Shircore, VP Global Marketing


+44 (0)1223 372400

+44 (0)784 177 6296


Share article on social media or email:

View article via:

Pdf Print

Contact Author

Ian Shircore
0044 (0)784 177 6296
Email >
Visit website