Hosting provider phishing

How, and why, cybercriminals attack accounts on hosting provider sites.

Today, we’re recounting a fairly recent hijack of a personal account on a hosting provider’s site. That kind of account is very appealing to cybercriminals. Here’s how one attack worked, and how far this kind of breach can go.

Phishing scheme

The attack began with some classic phishing. In this case, they attempted to frighten the recipient into quick action by invoking a cyberattack — posing as the hosting provider, the crooks claimed they’d temporarily blocked the account in response to an attempt to buy a suspicious domain through it. To regain control of the account, they needed the recipient to follow the link and log in to their personal account.

Phishing e-mail sent by cybercriminals posing as a hosting provider

Phishing e-mail sent by cybercriminals posing as a hosting provider.

The message body is full of red flags. It contains neither the provider’s name nor its logo, suggesting the use of a common template for clients of different hosters. The name appears just once, in the sender’s name. What’s more, that name does not match the mail domain, an obvious sign of foul play.

The link leads to an unconvincing login page. Even the color scheme is off. The likely hope here is that the user will act on panic and not notice.

Fake website pages

Fake website pages.

As with any phishing, entering credentials on this page is equivalent to handing control to the cybercriminals. In this case, however, that means handing over the corporate website keys. Weirdly, they ask for some financial details as well, the purpose of which is unclear.

Why a hosting provider?

Take a look at the login page. All’s well with the phishing site’s certificates. Its reputation seems fine. That makes sense; cybercriminals didn’t create the domain, they just hijacked it, likely using a similar attack.

What cybercriminals can do with control of a personal account on a host’s website depends on the provider. For a few likely examples, they can relink to other content, update site content through a Web interface, and change the FTP password for content management. In other words, cybercriminals have options.

Possibilities too broad? Well, here are some more specific ideas. If cybercriminals take control of your site, they might add a phishing page, use your site to host a link for downloading malware, or even use it to attack your clients. In short, they can trade on your company’s name and website reputation for malicious purposes.

How to guard against phishing attacks

Phishing e-mails can be very persuasive. To avoid getting hooked, first of all, employees need to be vigilant. We recommend that you:

  • Maintain a policy of never clicking links to a personal account. Anyone who receives a worrying message from their hosting provider should log in to the legitimate site, starting by typing the address into their browser address bar.
  • Turn on two-factor authentication on the provider’s website. If the provider doesn’t offer 2FA, find out when they plan to add the feature.
  • Remain alert to obvious signs of phishing (such as a mismatch between the sender’s name and e-mail domain, or incorrect domain names on websites). Ideally, train employees to identify phishing attempts (one option is to use an online training platform).
  • Install corporate mail security solutions on all servers and devices employees use for Internet access.