Attackers Target Web Hosting Customers
A new attack targeted at Web hosting customers has been in action in which users have been receiving emails requesting login information from a source claiming to be from their Web hosting provider and alerting them that they have received a compliant from VeriSign. BlueHost, which claims to host over 1 million domains (not all active sites) and MediaTemple, which serves over 85,000 customers and 600,000 domains, have been known targets.
Those being targeted in the attack were most likely scraped from WHOIS data, the public database containing details of domain registrations. Utilizing this data, the attacker can easily determine the hosting provider either through the domain nameservers or doing DNS lookups or a traceroute. Once a hosting provider is identified, the attacker inserts the details into an email “template,” attempting to make the email appear to be from the appropriate hosting providers. This is another example of the growing trend in automated – yet targeted – attacks being conducted by cybecriminals.
This attack takes a different approach to some of the other large attacks we’ve seen over the past week or so. In the past two weeks, we saw two massive campaigns targeting LinkedIn users, with fake “Contact Requests,” and iTunes users targeted with fake order confirmations, both used to spread the ever popular ZeuS malware.
What do attackers gain by obtaining access to a Web hosting account? It depends, but for small to mid sized businesses that often host their sites as well as email on the same server, often protected by the same passwords, it could be a lot. If customers are using databases on the web server, the attacker can secretly gain access to databases such as the popular mySQL and PostgreSQL and not only copy what’s on there now, and if not detected, continually siphon data from the database.
With access to a Web hosting account, attackers can also add and modify pages on a Web site to host or link to malware, something not only dangerous to those visiting the site, but harmful to the brand and reputation of the company hosting it. Google, which often scans pages for dangerous code, can essentially “black list” a site that hosts malware, pulling it from search results and causing it to show up as a dangerous site when users try to visit. Additionally, attackers could quietly install malware that enlists your server in a botnet army or setup a gateway to relay spam. The list goes on and on.
If it’s not obvious, anyone that has responded to an email of this nature, from any company, immediately change your hosting password. If this same password is shared with other accounts, be sure to change those as well.
An example of the email is below.
Hello,
We receive a complaint about phishing page in your web hosting account. The complaint came from Verisign inc. There is a page in your hosting account that collects personal account details and disguise as legitimate Lloyds TSB Bank PLC. That webpages have been broadly distributed to individuals by a person or entity pretending to be Lloyds TSB Bank PLC. Please provide me with your hosting username and password so we can delete that phishing page from our server. Just reply this email with the information we needed so we can fix it immediately.
Thank you
[Hosting Provider Contact Details Here]