Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Target Web Hosting Customers with Fake VeriSign Warning

Attackers Target Web Hosting Customers

Attackers Target Web Hosting Customers

A new attack targeted at Web hosting customers has been in action in which users have been receiving emails requesting login information from a source claiming to be from their Web hosting provider and alerting them that they have received a compliant from VeriSign. BlueHost, which claims to host over 1 million domains (not all active sites) and MediaTemple, which serves over 85,000 customers and 600,000 domains, have been known targets.Cybercriminals Target Hosting Companies

Those being targeted in the attack were most likely scraped from WHOIS data, the public database containing details of domain registrations. Utilizing this data, the attacker can easily determine the hosting provider either through the domain nameservers or doing DNS lookups or a traceroute. Once a hosting provider is identified, the attacker inserts the details into an email “template,” attempting to make the email appear to be from the appropriate hosting providers. This is another example of the growing trend in automated – yet targeted – attacks being conducted by cybecriminals.

This attack takes a different approach to some of the other large attacks we’ve seen over the past week or so. In the past two weeks, we saw two massive campaigns targeting LinkedIn users, with fake “Contact Requests,” and iTunes users targeted with fake order confirmations, both used to spread the ever popular ZeuS malware.

What do attackers gain by obtaining access to a Web hosting account? It depends, but for small to mid sized businesses that often host their sites as well as email on the same server, often protected by the same passwords, it could be a lot. If customers are using databases on the web server, the attacker can secretly gain access to databases such as the popular mySQL and PostgreSQL and not only copy what’s on there now, and if not detected, continually siphon data from the database.

With access to a Web hosting account, attackers can also add and modify pages on a Web site to host or link to malware, something not only dangerous to those visiting the site, but harmful to the brand and reputation of the company hosting it. Google, which often scans pages for dangerous code, can essentially “black list” a site that hosts malware, pulling it from search results and causing it to show up as a dangerous site when users try to visit. Additionally, attackers could quietly install malware that enlists your server in a botnet army or setup a gateway to relay spam. The list goes on and on.

If it’s not obvious, anyone that has responded to an email of this nature, from any company, immediately change your hosting password. If this same password is shared with other accounts, be sure to change those as well.

An example of the email is below.

Hello,

Advertisement. Scroll to continue reading.

We receive a complaint about phishing page in your web hosting account. The complaint came from Verisign inc. There is a page in your hosting account that collects personal account details and disguise as legitimate Lloyds TSB Bank PLC. That webpages have been broadly distributed to individuals by a person or entity pretending to be Lloyds TSB Bank PLC. Please provide me with your hosting username and password so we can delete that phishing page from our server. Just reply this email with the information we needed so we can fix it immediately.

Thank you

[Hosting Provider Contact Details Here]

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.