{"id":38783,"date":"2021-02-16T14:56:58","date_gmt":"2021-02-16T19:56:58","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=38783"},"modified":"2021-02-16T14:56:58","modified_gmt":"2021-02-16T19:56:58","slug":"hosting-provider-phishing-web-page","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/hosting-provider-phishing-web-page\/38783\/","title":{"rendered":"Hosting provider phishing"},"content":{"rendered":"

Today, we\u2019re recounting a fairly recent hijack of a personal account on a hosting provider\u2019s site. That kind of account is very appealing to cybercriminals<\/a>. Here\u2019s how one attack worked, and how far this kind of breach can go.<\/p>\n

Phishing scheme<\/h2>\n

The attack began with some classic phishing. In this case, they attempted to frighten the recipient into quick action by invoking a cyberattack \u2014 posing as the hosting provider, the crooks claimed they\u2019d temporarily blocked the account in response to an attempt to buy a suspicious domain through it. To regain control of the account, they needed the recipient to follow the link and log in to their personal account.<\/p>\n

\"Phishing<\/a>

Phishing e-mail sent by cybercriminals posing as a hosting provider.<\/p><\/div>\n

The message body is full of red flags. It contains neither the provider\u2019s name nor its logo, suggesting the use of a common template for clients of different hosters. The name appears just once, in the sender\u2019s name. What\u2019s more, that name does not match the mail domain, an obvious sign of foul play.<\/p>\n

The link leads to an unconvincing login page. Even the color scheme is off. The likely hope here is that the user will act on panic and not notice.<\/p>\n

\"Fake<\/a>

Fake website pages.<\/p><\/div>\n

As with any phishing, entering credentials on this page is equivalent to handing control to the cybercriminals. In this case, however, that means handing over the corporate website keys. Weirdly, they ask for some financial details as well, the purpose of which is unclear.<\/p>\n

Why a hosting provider?<\/h2>\n

Take a look at the login page. All\u2019s well with the phishing site\u2019s certificates. Its reputation seems fine. That makes sense; cybercriminals didn\u2019t create the domain, they just hijacked it, likely using a similar attack.<\/p>\n

What cybercriminals can do with control of a personal account on a host\u2019s website depends on the provider. For a few likely examples, they can relink to other content, update site content through a Web interface, and change the FTP password for content management. In other words, cybercriminals have options.<\/p>\n

Possibilities too broad? Well, here are some more specific ideas. If cybercriminals take control of your site, they might add a phishing page, use your site to host a link for downloading malware, or even use it to attack your clients. In short, they can trade on your company\u2019s name and website reputation for malicious purposes.<\/p>\n

How to guard against phishing attacks<\/h2>\n

Phishing e-mails can be very persuasive. To avoid getting hooked, first of all, employees need to be vigilant. We recommend that you:<\/p>\n