First-hand account: How free Web hosters profit from phishing sites

Here's a tell-all tale about how free Web hosting providers profit handsomely from phishing sites - even those they eventually shut down - and why this one hoster, in particular, has all but weaned himself off the juice.

Scott Smith and his wife Jamie run a mom-and-pop - as in four kids and a handful of remote contract workers - free Web hosting outfit called Ripway.com. It is part of a larger mom-and-pop conglomerate that includes services such as VillagePhotos.com and an overall customer roster approaching a half-million strong.

Scott Smith noticed our discussion here recently about whether - or to what extent - free Web hosting services profit from phishing sites, even those sites that they eventually chase away. Smith's assessment in a nutshell: They profit plenty.

How does he know? ... Ripway used to profit plenty.

But not anymore, and the why (provided you believe him, as I do) seems almost noble in a business not exactly known for such character.

Smith and I have chatted a bit by e-mail about his situation and what follows is drawn from that correspondence:

For some time, until the middle of last year, we manually terminated phishing and spamvertising accounts as they were reported. This lackluster approach ended up with us being nulrouted a few times, after the IRS Web Site was spoofed, and also ended with our service being blacklisted from MySpace. We were doing our best, but yes, we were still profiting.

Any time we'd shut down one of these accounts, which most of the time had been advertised all over - by spam, Web links, message board spam, etc. - all the traffic that was coming in to these sites would go to an error page, on which we run banner and/or text ads. Some of the phishing and spamvertising sites were pulling in millions of hits a week to our service. It was a burden on our resources, but the ad revenue more than made up for it. The extra links were also pushing our page rankings higher and higher.

Around June of last year, after being nulrouted from the IRS scam, which we had responded to within hours, we created a scanner that would look through text-based user content for anything remotely resembling spam. Obvious finds were automatically terminated. Questionable accounts were flagged for manual review.

This has proven to be highly effective, but, as you might guess, the ad revenue from the 404/User Terminated pages has dropped significantly: to the tune of $10K a month, which is significant for a family-owned business.

I asked Smith for more details about the IRS incident that had served as such a wake-up call:

Somebody set up a very realistic-looking IRS Web site at h1.ripway.com/IRS/. It was phishing Social Security numbers. The IRS got wind, and scared the bejeezus out of our provider, which in turn nulrouted us until we were able to get on and terminate the account.

So what's "significant" mean there, as in what kind of revenue hit did the company take for tightening up its scam controls?

We were doing around $14,000 to $16,000 a month in ad revenue. The month after we started scanning/monitoring, it dropped by over $10K a month. It hurt. But getting nulrouted again would hurt much more.

But, we wouldn't go back. First, we try to run a clean, responsible hosting service. We're BBB members, I insist on ethical practices in our company, and I'd rather go broke than support these scammers. Secondarily, the risk associated with being blocked/nulrouted/blacklisted was too high. The one time we did get nulrouted hurt our business and upset our legitimate customers.

So yes, we profited from it. But we still did what we could to stop it, and we're still fighting new phishing techniques almost daily.

As for that homegrown solution, Smith offers a few details:

It's a shell script that checks all accounts set up in the last few weeks - it scans every text file (including PHP, HTML, txt, JS, etc), and looks for a fairly large list of keywords, including hex-encoded and double hex-encoded scripts (spamvertisers will encode or double encode their redirect-to-search-results-page scripts to hide it from manual reviews). Very common. We're the only ones automatically scanning for this kind of content at the file level. There are firewall and security hardware devices that can detect it at that stage, but those come with a significant cost which we couldn't afford. We're looking for other more dynamic solutions at this time, but we'll continue using this for now. I've considered licensing this scanner, and/or maintaining a public list of the common and uncommon keywords/phrases, which constantly change, and would only be made accessible to known reputable hosts.

We run this scanner every half hour, against from 1TB to 4TB of files, to try to head off anything new. Luckily most files are images or video content that we don't have to scan.

If a match is found, it's given a "score," depending on the kind of match. A mention of MySpace gets a point, a link to the MySpace login page gets 2, including the MySpace CSS file in a web page gets 10, which is an automatic termination. Drugs are the other hot one - Viagra, phentermine, etc. Each of those gets a couple points per occurrence.

A half hour is the longest anything should be able to be live. Every half hour we probably kill a handful of MySpace phishing sites, Citibank, and so on.

Sure, we get a few false positives, we have the ability to manually review accounts, and flag them as "safe" if we accidentally suspend a valid user's account. It's rare, but we have little choice.

Of course, we have to keep the scanner updated - phishers are aware we're scanning (although we don't specifically mention it on our site), so they're always trying to find ways around the scanner. Encoding URL's, using javascript to output pages, then obfuscating that code, etc .

But we do our best.

Not everyone in his line of work can make the same claim.

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

Glitch has users fuming, Google "frantic."

"Ideal Digital Kitchen" looks like a recipe for overkill.

Gates-in-space report a "fabrication" of the Russian media?

BlackBerry owes this guy a girlfriend.

Blackberry exec really doesn't get it.

Web site blues hit Fark ... and Drew speaks nicely of Digg.

Vonnegut's MIT commencement.

The Onion tees up Vista ... hilarity fails to ensue.

<!--startindex-->