Phishing Wave to Sniff FTP Credentials
- Friday, December 11, 2009, 10:32
- Threat Research
In a new wave of phishing attacks, Symantec has observed that attackers are targeting the FTP credentials of websites. The messages appear to come from various trusted Web hosting providers. So far we have observed that users of over 100 Web hosting providers are being targeted by this attack.
The attackers asks users to click on the link provided in the spam message, which will lead the users to open an “FTP access confirmation” page where the FTP credentials of the recipients are stolen. Attackers use a phishing cPanel page to do this (cPanel is Web hosting administration tool).
Some of the various subject lines observed are as follows:
Subject: for webhosting user
Subject: web hosting update
Subject: webhosting update
Subject: for web hosting user
The phishing URL contains a user’s email address and the domain name of a Web hosting service provider. Once FTP credentials are entered and submitted by clicking the “Confirm FTP Access” button, users are directed to their hosting site that is specified in a “service=” tag.
Example:
http://cpanel..me.uk/scripts/cpanel-ftp-confirmation.php?session=&email=&service=
Giving up FTP details may lead to a further loss of confidential data, the hosting of illegal websites (child pornography sites, phishing sites, etc.), and/or delivery of malware to the victim's computer by the attacker.
Continue reading...