A very clever phishing campaign targets bloggers and email site owners who pretend to come from their hosting provider who wants to upgrade their domain to use secure DNS (DNSSEC).
As it is possible to determine who is hosting a domain for a website through WHOIS records, IP addresses and HTTP headers, email fraud is highly targeted and falsifies the hosting company used by a website.
In a new Sophos report, researchers explain how fraudsters use this WHOIS information to send targeted emails that "impersonate" WordPress, NameCheap, HostGator, Microsoft Azure and other well-known hosting companies.
The security company first spotted the scam when it received a phishing message allegedly from WordPress, which hosts the NakedSecurity blog.
The Domain Name System (DNS) is the technology that is similar to the real "phone book". It maps the official domain names to the corresponding IP address of the server, where the website is hosted.
There is a newer protocol, DNSSEC, which provides additional security for DNS questions and answers. This feature is usually used as protection by hosting domain providers to prevent DNS data breach.
These phishing messages indicate that the site's DNS provider will upgrade its DNS to secure the DNS (DNSSEC), but must click on a link to activate this improved security feature.
The Sophos report explains that DNSSEC is not something that website owners are accustomed to installing on their own.
"You probably never set up DNSSEC or used it yourself, because it was usually a function used by service providers to keep DNS databases intact when exchanging data with other DNS servers, ”the report explains.
Given that most independent bloggers will rarely have a reason to check out DNSSEC, spammers exploit their curiosity and fear through this campaign.
Once they click on the malicious links in emails, an "unexpectedly believable" Update Assistant page is created.
Interestingly, these pages are dynamically created based on GET parameters with base64 encoding in the URL. These parameters guide the backend to render the page with the appropriate name, logo and URL of the client website.
Some prominent names of hosting companies that are "impersonated" are HostGator, HostMonster, KonaKart, Linode, Magento, Microsoft Azure, NameCheap and Network Solutions.
The goal of this phishing campaign is to steal credentials from unsuspecting users instead of offering them any legitimate DNSSEC protection service.
Users are informed that as soon as the update is complete, they will be redirected to their website. But this is not the case, perhaps because of a scam by the scammers.
"As you can see, scammers claim that you will be redirected to your own site at the end of the process, but instead end up with a URL that includes your site name preceded by the name of the fake site set by the scammers. This creates a 404 error - what we can not tell you is if the scammers made a programming mistake and accidentally redirected you to https: // [THEIRDOMAIN] / your.example instead of directly to https: //your.example or if they wanted all of this, so as not to redirect you directly to your login page, which would seem suspicious since you have already entered the Username and your password ", Sophos states in its report.
As a general rule, to protect against scams like these, email recipients must be very careful with the links they click on an email and especially when they enter credentials them on unknown sites and systems.
Activation of the control identity of two factors can also help prevent phishing attacks that attempt to steal login credentials.
Source of information: Sophos