Table 5 in the Appendix contains a list of the top 10 overlaps of a defacer related domain to a phishing domain hosted within one year of each other.
The first scenario is that the phisher is the defacer. It is believed that this is the case in a vast majority of the websites that are -1 or 0 days.
The second scenario is that the phisher and defacer are part of the same organized group or crime unit.
In this research we present a set of methods that demonstrate a relationship between phishers and defacers. Highlighting this relationship assists in building substantial defenses and law enforcement cases against this threat and shows that the proposed strategy can be used to predict when and where new phishing websites and related attacks will surface next.
When investigating phisher drop email addresses, it is common to find that the email addresses link to information being reported on defacement webpages by defacers. Defacers are a set of cybercriminals who gain unauthorized access to webservers and related systems by attacking design, implementation, logic and configuration vulnerabilities in order to post illegitimate web content on that server.
The defacers use these databases to get credit for, or maintain a history of, their defacements.
The research presented in this paper was assembled to demonstrate the relationship between phishers and defacers, using the domains and timestamps in which phishing and defacement websites were reported.
The goal in this experiment was not only to use more data to show a larger impact by these defacers but also to demonstrate that some phishers target multiple organizations, giving law enforcement more motivation to open an investigation on the phisher.
From 2010 to 2012, there were 1,029 defacers that had a defacement string within one week of a phishing website.
The results of Experiments 1 and 2, illustrated in the associated histograms, demonstrate a pattern that suggests defacers want to capture their defacement before using the server for phishing or other functionalities.
The final scenario is that some defacers sell credentials on underground markets.
The data supports that there is an opportunity to use the posted information by the defacers as an early warning system for malicious activities on those domains such as identifying new phishing attacks.