More phishers using Malaysian servers
2nd November 2005 (The Star)

PETALING JAYA: The number of forgery cases reported last quarter did not increase but the number phishing websites being hosted by Malaysian servers has, according to the Malaysian Computer Emergency Response Team (MyCERT).

Its latest security quarterly report, which covers the July to September period, recorded a total of 35 forgery incidents, one fewer than in the previous quarter.

However, MyCERT said it has received "a series of reports" of phishing sites hosted on Malaysian servers during the first nine months of this year from foreign financial organisations and international CERTs based in the United States, Britain, Germany and Australia.

National ICT Security and Emergency Response Team (Niser) director Kol Husin Jazri said more IP (Internet Protocol) addresses from Malaysia are being used to host phishing sites.

"We have observed an increase in phishing activity using local IP addresses lately," he told In.Tech in an e-mail interview last week.

"In the first two quarters of the year, we recorded only four cases. But in the third quarter, the number jumped to 15. In the month of October alone, there were two cases."

MyCERT (, a unit of Niser, is responsible for tracking and logging security incidents, and analysing major security incidents and trends.

Phishing scams use fraudulent e-mail messages and websites that seemingly originate from well-known companies to dupe consumers into divulging personal information, such as bank account details and credit card numbers.

Husin said most of the servers that were used to host phishing sites involved Internet service providers' (ISPs) and various data centres' clients. Some, he said, even involved end-users.

The MyCERT report also noted that some of the cases reported were quite serious; in one case, there were two phishing sites found on one server that was being used to mimic a foreign bank's website.

MyCERT said it was able to inform the owners of the compromised servers within six hours after discovery. It was then able to shut down the affected servers hosting the phishing sites.

Husin said most of the organisations involved were not aware that their IP addresses and networks were being used to host the fraudulent sites.

"They only became aware of the situation after being notified by Niser," he said.

Husin also said the sites were exploited using the following vulnerabilities: Microsoft WEBDAV; Microsoft IIS Extended Unicode Directory Traversal; PHP File upload; and SSL/TLS Implementation.

MyCERT strongly urges users who receive e-mail purportedly from a bank requesting to change their logon and password to ignore and/or delete such e-mail immediately.

Users are also advised to verify such e-mail with their respective ISPs, CERTs or with the particular financial institutions mentioned.

In its report, MyCERT also noted there was a slight decrease in virus or worm incidents with a total of 16 incidents in the third quarter; 15.8% lower than in the previous quarter.

The report said this is relatively low considering that there were new worms and Trojans released on the Web. Most of the worm incidents reported involved new variants of mass mailing worms such as the W32.Zotob.

Incidents involving intrusion have also dropped from 103 in the previous quarter to 86 cases in this quarter.

The report also said web defacements is still the top intrusion incident reported compared to other intrusions, such as "root compromise."

There were 83 cases of ".my" websites defaced in the last quarter. However, no mass defacements were observed in this quarter.

Husin said the slight decrease in overall security incidents could be "due to a higher awareness among system owners of the importance of making sure their computers are secure."

"It could also be because of the proactive steps and measures taken by various CERTs' in alerting system owners through the media, SMS (short message service) and e-mail," he said.