Saturday, December 05, 2009

Webmasters Targeted by CPANEL phish

Webmasters from at least 90 online hosting providers are specifically targeted in the newest round of Avalanche phish.

The spam emails that are going out look like these:

Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details.
Please confirm your FTP details by using the link below:

Subject lines use the name of the targeted hosting company in the email subject, such as:

(targeted hosting company) webhosting update
(targeted hosting company) web hosting update
(targeted hosting company) webhosting user
(targeted hosting company) web hosting update
for (targeted hosting company) webhosting user
for (targeted hosting company) web hosting user

Given all the variations, we've seen more than 900 unique subject lines.

When the link is followed, the websites are of course the criminal's phishing page instead of the web hosting company's CPanel page. (CPanel is a popular website
administration tool.)

The goal seems to really be capturing the FTP userids and passwords of webmasters. You can imagine what sorts of badness this campaign may lead to!

The website looks like this:

Here are some websites currently live . . .

The pattern of the URL is:

cpanel.(targeted hosting company).topleveldomain

where (targeted hosting company) can be:

The URL contains your email address and the provider link. When you visit the page, this information is stored as part of the URL for "command_003.php". You can see what I mean in the layout below:

(title)WebHost Manager(/title)
(meta http-equiv="Content-Type" content="text/html; charset=UTF-8")
(link rel="shortcut icon" href="" type="image/x-icon">)
(frameset cols="217,566*" frameborder="NO" border="0" framespacing="0" rows="*")
(frame src="command.htm" name="commander" frameborder="no" id="commander" scrolling="yes")
(frameset rows="70,*" cols="*" framespacing="0" frameborder="no" border="0")
(frame src="command_002.htm" name="topFrame" frameborder="no" noresize="noresize" id="topFrame" scrolling="no")
(frame src="command_003.php?" name="mainFrame" id="mainFrame" frameborder="no")(/frameset)

After providing the userid and password, your information is saved, and then you are forwarded to whatever hosting provider was specified in the "service=" tag. If you clicked on a version of the email, you go to If you clicked on a version of the email, you go to yahoo.

If you are a webmaster and have received one of these emails, please be sure to contact your hosting provider to reset your passwords immediately, and review your pages to see what changes may have been made. If you learn what the bad guys are doing with your site, please drop me a note about it as well. (gar at uab dot edu)


No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.