Phishing attack aimed at cPanel users
by Steve Ragan - Dec 8 2009, 16:00Security vendor Trusteer has says they have discovered a Phishing scam that claims to come from Yahoo seeking FTP information. However, while the emails started with Yahoo, it isn’t a far stretch for them to expand to other services.
If you host a website online, then you are likely familiar with cPanel and WHM. cPanel is a backend administration service that allows a site owner to manage FTP access, Email access, SQL administration, and several other aspects of control. More often than not, you will see cPanel coupled with WHM, which is a separate administration service that allows access to server controls, such as adding and removing sites, service restarts, DNS management and more.
Almost every hosting or dedicated server company online offers cPanel, and thanks to branding, you may be using cPanel and not even know it. However, the scam that Trusteer discovered and has been following cares little about this, what the criminals want is access. Since in most cases the FTP username and password is the same used to access cPanel, they can get a two-for-one deal from some victims.
The Phishing email asks that Yahoo users to “take a few minutes to confirm your FTP details” due to maintenance. If the user follows the link in the email they are presented with the form below to confirm the credentials.
“The ability to upload arbitrary content into relatively small and less popular sites may seem un-interesting fraud-wise,” said Amit Klein CTO of Trusteer and head of the company’s research organization.
“However, evidence we have collected over the past few months connects cPanel-driven sites to online banking fraud. By stealing cPanel login credentials, criminals do not need to use hacking tools to upload content to a website, and therefore can avoid detection until after they have siphoned funds from consumer and business banking accounts.”
Earlier this year, Trusteer investigated several Phishing incidents involving criminals who specialize in cPanel-driven sites and use solely such sites as a basis for their Phishing operations, the company said. They also observed that the criminals did not use typical hacking tools (such as their own rogue control panel) to upload content to the site, but rather used standard cPanel functionality to do so. This may indicate that in those cases they had access to the cPanel credentials.
The first step to avoiding this scam is never trust a random link that shows up in your email. Another step, especially for cPanel users, is to separate FTP access from the master cPanel account. When you create accounts, cPanel has a password strength indicator and generator. You can use those to help boost the protection offered. At the same time, again the best bet is to delete suspicious emails the second you see them.
The domain used is listed with an address in Belgium, and the IP address belongs to the Philippine Long Distance Telephone Company. There is little expected in the way of punishment for the name listed on the account.
The Trusteer advisory is here.
Comment on this Story