Sad but an example of how phishers can back-door into a site and use it to setup a phishing operation: An educational institution site that has been compromised.
The school district is closed so the phisher is having a field day. We have been in touch with the school administration and the phishing site has been taken down.
Here’s the main page: http://www.pottsboroisd.org
And here’s where the phishers put their sign-in page for their phishing site:
Looks like the website is using Apache, so if the admin doesn’t really know about security, it’s understandable how it could be hacked. On the other hand, IIS, in default configuration, is fairly secure.
(Thanks to Sunbelt researcher Adam Thomas for finding this.)