In a newly released paper entitled “Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing” Tyler Moore and Richard Clayton provide empirical evidence according to which 75.8% of the phishing sites that they’ve analyzed (2486 sites) were hosted on compromised web servers to which the phishers obtained access through Google hacking techniques (search engine reconnaissance).
The research also indicates that not only are legitimate sites (unknowingly) providing hosting services to scammers, but also that 19% of the vulnerable sites that they’ve analyzed were recompromised within six months.
This efficient exploitation approach using “evil searches” is in fact so efficient, that the majority of large scale SQL injection attacks that took place in 2008 were performing automatic search engine reconnaissance and later on exploiting the affected sites.
The trend has proven itself with cases where for instance the web sites of U.K’s Crime Reduction Portal, a Police Academy in India, government servers across the world and even a Chinese bank were all hosting phishing pages through the exploitation of their web servers.
[...]Search engine reconnaissance or “Google hacking” is a legitimate penetration testing practice that cybercriminals naturally take advantage of as well.
The bottom line - if you don’t take care of your web application based vulnerabilities, someone else will. And yes, they will come back six months later to find out whether the web servers still remain vulnerable.
During my time as a CastleCop's PIRT handler, I was personally involved in reporting & assisting in the takedown of hundreds of phishing sites...most of them on hacked servers.
Sadly, many of the administrators of the hacked servers didn't even know they were hacked and lacked the general security experience to properly secure their servers. Many (if not most) were running out-dated versions of software, like PHP.
The work was tedious and often very repetitive but I was honored to work on the project while it lasted.