Connect with us

Hi, what are you looking for?



Cybercriminals Target Web Hosting Customers with Fake VeriSign Warning

Attackers Target Web Hosting Customers

Attackers Target Web Hosting Customers

A new attack targeted at Web hosting customers has been in action in which users have been receiving emails requesting login information from a source claiming to be from their Web hosting provider and alerting them that they have received a compliant from VeriSign. BlueHost, which claims to host over 1 million domains (not all active sites) and MediaTemple, which serves over 85,000 customers and 600,000 domains, have been known targets.Cybercriminals Target Hosting Companies

Those being targeted in the attack were most likely scraped from WHOIS data, the public database containing details of domain registrations. Utilizing this data, the attacker can easily determine the hosting provider either through the domain nameservers or doing DNS lookups or a traceroute. Once a hosting provider is identified, the attacker inserts the details into an email “template,” attempting to make the email appear to be from the appropriate hosting providers. This is another example of the growing trend in automated – yet targeted – attacks being conducted by cybecriminals.

This attack takes a different approach to some of the other large attacks we’ve seen over the past week or so. In the past two weeks, we saw two massive campaigns targeting LinkedIn users, with fake “Contact Requests,” and iTunes users targeted with fake order confirmations, both used to spread the ever popular ZeuS malware.

What do attackers gain by obtaining access to a Web hosting account? It depends, but for small to mid sized businesses that often host their sites as well as email on the same server, often protected by the same passwords, it could be a lot. If customers are using databases on the web server, the attacker can secretly gain access to databases such as the popular mySQL and PostgreSQL and not only copy what’s on there now, and if not detected, continually siphon data from the database.

With access to a Web hosting account, attackers can also add and modify pages on a Web site to host or link to malware, something not only dangerous to those visiting the site, but harmful to the brand and reputation of the company hosting it. Google, which often scans pages for dangerous code, can essentially “black list” a site that hosts malware, pulling it from search results and causing it to show up as a dangerous site when users try to visit. Additionally, attackers could quietly install malware that enlists your server in a botnet army or setup a gateway to relay spam. The list goes on and on.

If it’s not obvious, anyone that has responded to an email of this nature, from any company, immediately change your hosting password. If this same password is shared with other accounts, be sure to change those as well.

An example of the email is below.

Advertisement. Scroll to continue reading.


We receive a complaint about phishing page in your web hosting account. The complaint came from Verisign inc. There is a page in your hosting account that collects personal account details and disguise as legitimate Lloyds TSB Bank PLC. That webpages have been broadly distributed to individuals by a person or entity pretending to be Lloyds TSB Bank PLC. Please provide me with your hosting username and password so we can delete that phishing page from our server. Just reply this email with the information we needed so we can fix it immediately.

Thank you

[Hosting Provider Contact Details Here]

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...