14 DAY TRIAL // Cybercrooks are on the hunt for FTP credentials with a new phishing campaign, which targets the customers of many hosting companies. Under the pretext of a system maintenance, the rogue emails direct unsuspecting webmasters to phishing pages.
According to Gary Warner, director of research in Computer Forensics at the University of Alabama at Birmingham, over 90 popular shared Web hosting services have been abused through these automatically generated emails. The message is identical in all of them, but the named company differs.
"Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details. Please confirm your FTP details by using the link below," the emails read. The included link is of the form http://cpanel.[domain_name]/scripts/cpanel-ftp-confirmation.php?session=######, where the domain names are the likes of hostgator.com, resellerclub.com, godaddy.com or even yahoo.com.
Clicking on the URL takes the user to a fake website bearing the visual identification elements of cPanel, a popular hosting platform management application. The page contains a form for inputting FTP hostname, login and password. If this form is filled in and submitted, the user is redirected to the real website of the hosting company in order to avoid raising suspicion.
Cybercriminals are harvesting FTP accounts, because it allows them to modify the content of legit websites and serve exploit cocktails to their visitors. This technique has been previously encountered in mass web injection attacks such as Gumblar, which many security companies listed as the most prevalent threat on the Web during the second quarter of this year.
In June, security researchers from Prevx found hijacked FTP credentials for over 68,000 websites on a Zbot dumping site. Companies such as Amazon, Cisco, BBC, Symantec, McAfee, Monster, or even Bank of America, were amongst the victims. In that case, the information was most likely stolen by the Zbot trojan from infected machines.
"If you are a webmaster and have received one of these emails, please be sure to contact your hosting provider to reset your passwords immediately, and review your pages to see what changes may have been made," Gary Warner, advises.