A new advisory from the Anti-Phishing Working Group (APWG) offers advice to website owners on what actions to take when notified that their site or server has been compromised for use by phishers.
At 18 pages, it's a substantial high-level document, including:
- Some web site phishing attack and response scenarios
- Identifying an attack
- Reporting a compromise (how and to whom)
- Containment and damage limitation
- Recovery (This actually includes some proactive approaches to facilitating recovery before the problem arises, which seems a very sound approach to me.)
- Follow-up (lessons learned, tightening up...)
- The references section is actually more of a collection of relevant resources (short, but useful and relevant: the OWASP site alone could keep a site administrator wanting to improve site security busy for weeks).
So, a useful document dealing with an aspect of the phishing problem that receives far less attention from the media than the phishing emails that are all too visible to the everyday user. My only suggestion is that rather than pitching this as reading material for a site that's just been compromised, APWG might consider pushing it as something to read before a compromise takes place: it would actually be a sound basis for establishing strategies and policies to mitigate future attacks.
If you're in a position where you might need to know this stuff to deal with a compromise on your site, I'd suggest that you read it (and check out the resources it contains) now and start planning. Sometimes it pays to have your shields up before the enemy opens fire.
David Harley
Director of Malware Intelligence
