Network News

X My Profile
View More Activity

Phishers angling for Web site administrators

Scam e-mail artists have launched a massive campaign to trick webmasters into giving up the credentials needed to administer their Web sites, targeting site owners at more than 90 online hosting providers. Experts say the attackers are attempting to build a distributed network of hacked sites through which to distribute their malicious software.

The spam e-mails arrive addressed to users of some of the top Web hosting firms, from hostgator.com to yahoo.com and 50webs.com, and bear the same basic message:

"Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details." Recipients who click the included link are brought to a Web site made to look like a cPanel page (cPanel is a widely used Web site administration software package). People who fall for the scam and provide their credentials are then forwarded on to the actual site of the Web hosting company named in the body and subject line of the scam e-mail.

ftphack.JPG

According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, the perpetrators of this scam appear to be trying to capture the FTP user names and passwords of webmasters, in a bid to enlist the hacked sites in drive-by malware attacks.

If you administer a Web site and fell for this phishing scheme, be sure to contact your hosting provider and have them change your password. It would also be a good idea to review your Web site content for any recent unauthorized changes. Stopbadware.org has some great resources and a very active user community that can help affected Web site administrators clean and secure their pages.

By Brian Krebs  |  December 5, 2009; 10:05 AM ET
Categories:  Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Apple issues security updates for Mac OS X
Next: La. firm sues Capital One after losing thousands in online bank fraud

Comments

Well for one thing, you should NOT be using FTP to transfer files to your web site. If you are, then your knowledge of what is good security practices is already lacking. You should be using secure copy, or sftp/scp. If your web hosting company does not offer secure copy, time to get a new web hosting company. They are broadcasting they want to be hacked.

I own a hosting web site. I would NEVER ask someone for their credentials. EVER. If I thought there was a problem, I would change the password and then send it to you.

Simple practices really are half the battle to good online security.
1). Never click the link and give up useri id and password.
2). Never transfer information over insecure connections(use https not http, use sftp not ftp).

Ok, I want to rant and rave here. But I know this is a lack of knowledge issue. And that is not a ranting and raving solution, that is a patiance and sharing of knowledge solution.

Posted by: LiberalBasher | December 6, 2009 8:31 AM | Report abuse

This exploit is using domain names which were reported to the registrar as fraudulent on friday. The registrar for these domains has done nothing about it even though many mail servers already recognize the domain names as being used to commit fraud. The same domain names are being used for American Express, facebook, IRS and other scams. The registrar simply looks the other way. I consider the registrar to be complicit in this criminal activity.

Posted by: TheGeezer | December 6, 2009 12:47 PM | Report abuse

Oh, another interesting point. In Gary Warner's list of websites being targeted by this attack, one of the sites listed is the very website which registered the fraudulent domains used for the attack. Talk about an irresponsible registrar!

Posted by: TheGeezer | December 6, 2009 1:08 PM | Report abuse

I'm neither a site administrator nor a web master, but if I saw or received any thing with the name Media Fire in it, I would tread very skeptically.

Posted by: ummhuh1 | December 7, 2009 2:01 PM | Report abuse

I know you don't like this but here is my take on the pattern squatters on my blog:

http://www.securemecca.blogspot.com
(actual page):
http://preview.tinyurl.com/ykfe6zo

Basically the PAC filter I have provided will stop you from going to the pattern squatters for quite a few of the known ones, especially those involving financial institutions. It stops all of the ones you have given here. If you cannot find your financial institution listed in my my PAC filter let me know what they are and use what is the written at the blog to construct the appropriate rules. Then give them to me if the financial instution is quite large. For the people writing here the PAC filter is for when the kids are screaming and all heck is breaking loose and you haven't slept for 2-3 days and you have stubbornly resisted every effort I have made to get you to switch to Thunderbird, Claws Mail, or some other MUA that doesn't display the links. Under hectic conditions like this I can understand why somebody would click on the link. But all of the people who have responded here are not the normal PEBKAC users. I can assure you that there are thousand of compromised machines by now. Hackers don't continue an effort like this without some ROI.

But I am trying and failing to understand why we cannot demand that name service providers put on some sort of filtration that will prevent host names from being granted that have the patterns for the top few thousand domains in the name being requested. This should be especially true if any of the domains involved are financial institutions. Now I can understand the name providers not caring about BetterHostsFile.org or NewSecureMecca.com. Those are the host names where my filters are distributed with another word tacked on the front. But they are only ranked around 6,000,000+. I constantly add blocks of new trackers in my filters to make users of them as stealthy as possible. I am sure that drops my ratings. But I strongly suggest that the host name registrars start filtering out names like the ones in Dr. Warner's blog from ever being granted in the first place. Think of it as a sort of extended trademark. If that had been done at the start I probably would not be writing this. None of the scams would have occurred. The hackers would have given up.

LiberalBasher, please go to either my web site or my blog and go to the top of the PAC filter. My email address is there. I want to compile a list of web service providers that provide sftp access. I do NOT want just some advertising spiel. What is needed are detailed instructions for how to set it up openly available. They must have support for both Windows AND Unix systems. ftp should have been replaced by sftp years ago.

Posted by: hhhobbit | December 9, 2009 11:00 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company