Saturday, December 05, 2009

Webmasters Targeted by CPANEL phish

Webmasters from at least 90 online hosting providers are specifically targeted in the newest round of Avalanche phish.

The spam emails that are going out look like these:







Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details.
Please confirm your FTP details by using the link below:


Subject lines use the name of the targeted hosting company in the email subject, such as:

(targeted hosting company) webhosting update
(targeted hosting company) web hosting update
(targeted hosting company) webhosting user
(targeted hosting company) web hosting update
for (targeted hosting company) webhosting user
for (targeted hosting company) web hosting user

Given all the variations, we've seen more than 900 unique subject lines.

When the link is followed, the websites are of course the criminal's phishing page instead of the web hosting company's CPanel page. (CPanel is a popular website
administration tool.)

The goal seems to really be capturing the FTP userids and passwords of webmasters. You can imagine what sorts of badness this campaign may lead to!

The website looks like this:



Here are some websites currently live . . .

cpanel.netbenefit.co.uk.tygkhggi.co.uk
cpanel.123-reg.co.uk.tygkrggi.co.uk
cpanel.1and1.co.uk.tygsrggi.co.uk
cpanel.locaweb.com.br.tygkhggi.me.uk
cpanel.1and1.co.uk.tygkrggi.org.uk
cpanel.locaweb.com.br.tygrhggi.org.uk
cpanel.1and1.co.uk.tygrtggi.org.uk
cpanel.fasthosts.co.uk.tygsrggi.org.uk
cpanel.4shared.com.tygrhggi.co.uk
cpanel.4shared.com.tygkrggi.me.uk
cpanel.4shared.com.tygsrggi.me.uk

The pattern of the URL is:

cpanel.(targeted hosting company).topleveldomain

where (targeted hosting company) can be:
locaweb.com.br
now.cn
4shared.com
50webs.com
bluehost.com
earthlink.com
github.com
godaddy.com
homestead.com
hostalia.com
hostgator.com
hostmonster.com
ixwebhosting.com
jeeran.com
lunarpages.com
mediafire.com
mozy.com
namecheap.com
netfirms.com
networksolutions.com
pair.com
powweb.com
qwest.com
register.com
resellerclub.com
siteground.com
sitesell.com
softlayer.com
squarespace.com
startlogic.com
t35.com
theplanet.com
ucoz.com
vendio.com
volusion.com
web.com
webhost4life.com
webhostingpad.com
west263.com
x10hosting.com
yahoo.com
35.com
bravehost.com
dreamhost.com
enom.com
fatcow.com
krypt.com
midphase.com
one.com
xlhost.com
000webhost.com
all-inkl.com
angelfire.com
bravenet.com
freeservers.com
freewebs.com
ipower.com
justhost.com
leaseweb.com
pingdom.com
rackspace.com
zerolag.com
arabstart.com
awardspace.com
fortunecity.com
freehostia.com
dynadot.com
pueblo.cz
arcor.de
funpic.de
hosteurope.de
ohost.de
1und1.de
server4you.de
strato.de
usenext.de
aruba.it
isimtescil.net
masterweb.net
ovh.net
speakeasy.net
aplus.net
mediatemple.net
home.pl
nazwa.pl
masterhost.ru
123-reg.co.uk
1and1.co.uk
oneandone.co.uk
fasthosts.co.uk
netbenefit.co.uk
website.ws

The URL contains your email address and the provider link. When you visit the page, this information is stored as part of the URL for "command_003.php". You can see what I mean in the layout below:

(html)(head)
(title)WebHost Manager(/title)
(meta http-equiv="Content-Type" content="text/html; charset=UTF-8")
(link rel="shortcut icon" href="http://whm.demo.cpanel.net/favicon.ico" type="image/x-icon">)
(/head)
(frameset cols="217,566*" frameborder="NO" border="0" framespacing="0" rows="*")
(frame src="command.htm" name="commander" frameborder="no" id="commander" scrolling="yes")
(frameset rows="70,*" cols="*" framespacing="0" frameborder="no" border="0")
(frame src="command_002.htm" name="topFrame" frameborder="no" noresize="noresize" id="topFrame" scrolling="no")
(frame src="command_003.php?email=phishthis@phishme.com&service=mediafire.com" name="mainFrame" id="mainFrame" frameborder="no")(/frameset)
(/frameset)
(/html)


After providing the userid and password, your information is saved, and then you are forwarded to whatever hosting provider was specified in the "service=" tag. If you clicked on a web.com version of the email, you go to web.com. If you clicked on a yahoo.com version of the email, you go to yahoo.

If you are a webmaster and have received one of these emails, please be sure to contact your hosting provider to reset your passwords immediately, and review your pages to see what changes may have been made. If you learn what the bad guys are doing with your site, please drop me a note about it as well. (gar at uab dot edu)

Thanks!

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!