I have a client whose server was used in a way I'm not used to seeing in phishing scams.

My client's server is the host for the client web site. Other people got messages, supposedly from McCoy Federal Credit Union. The message gave a link. The link directed them to an HTML file, mccoy.htm, that had been placed on my client's computer. That file directed them to another site. My client removed and deleted the file. He also deleted a zip file that he had not placed on his server.

His Watchguard Firebox 8000 shows no intrusions into his system. He has a client with ftp access. He does not think anyone internally would have used the server and opened any files to download these files.

When I typed in the site they were directed to, I got a message about loading Chinese language to view the files. I skipped that and the site seemed to load very slowly. I gave up. Other reports to my client said it was asking for login information.

Any ideas on this. Should we now assume there is a problem with this server, such as a root kit that may be undetectable? We are watching the server now for any more actions.

Any suggestions on what else to look for?

Thanks,
Ralph

My first question is simply, what does the phishing scam gain by placing an intermediate file on another server? Is this common and I have just overlooked it?

There are several possibilities on his server.

One is that they only had FTP access by either guessing an account or malware on a computer with FTP access stole the account login.

The second is that they uploaded something via a vulnerability on the web site.

Theoretically, either case could have resulted in root access and a root kit, there's no way to know for sure. It would be good to inspect the FTP and web server logs to get an idea of how the data was uploaded.

The redirect is just an attempt to evade email phishing filters. They may set up a site; as soon as it is discovered and ends up on the spam filtering lists, they can set up additional redirect sites like this and more phishing spam will be delivered to victims.

At times they try to set up a full phishing site, and are not able to obtain full execute privileges on the server. So they just load a static redirect. In extreme cases, there may be a chain of 3 or 4 redirects - all end up on the phishing blacklist as soon as a researcher sees them.

Check this post. phishing piers...

Yes. I think you hit it on the head. That is exactly what happened here. I am trying to get back to check out their ftp logs and their ftp setup. I think that is the most likely source of the problem

Thanks,
Ralph