Some security problems just never seem to go away. I’m not sure if its because there’s a steady stream of new web developers that have to learn things the hard way, if people forget, or they think that their open programs won’t be found by the bad guys. Unfortunately for those of us that fight phishing, open formmailers are pervasive and they continue to enable fraudsters.
In case you’re not familiar, a formmail script is a CGI web application which receives data from a form on a web page and sends it off via email. They’re commonly used for things like ‘Contact Us’ forms, support requests, feedback, etc. Matt Wright claims that his formmail script has been downloaded over 2 million times since 1997. Matt’s version and lots of others are everywhere.
And that’s the problem. Many people have written their own without understanding the security and abuse implications. Written correctly, they restrict the destination of any generated emails to the address of the webmaster or appropriate contact for that web site. Written incorrectly, they can be used to send any message content to any address – including that of a cyber-criminal on a phishing expedition.
Recently, PhishLabs examined the prevalance of formmailer abuse by phishers. After reviewing two weeks of phishing sites, we estimate that 10% of all phishing abuses formmailer scripts. That’s significant. Many phishers use open formailers in combination with free web hosting. For example, t35.com provides free web hosting, but they don’t support ability to send emails from their web servers. So instead the attackers set-up the phishing site so that the HTML pages send victim data to another site with the open formmailer. The formmail script then emails the compromised account information to the attacker. Without the open formmailer, the attacker would have to hack into a legitimate web site instead. Get rid of open formmailers you get rid of (most) phisher’s who can’t hack.
Of the approximately 100 open formmailers we detected being used for phishing, the following are the top 10 worst offenders.
We hope that the responsible parties will restrict access to these scripts or remove them. Also, it would be great if web content filtering companies would also block access to them. It would certainly prevent some phishing victims.