Attackers try to swindle FTP credentials in cPanel scam

A new phishing campaign is designed to steal FTP credentials from website owners so the fraudsters can set up fake bank websites, a security firm has warned.

The messages appear to come from web hosting providers, such as Yahoo, according to researchers at Trusteer. The emails target owners of sites that use cPanel, which offers these hosting providers backend automation software to build assets, such as email accounts and databases. cPanel also oversees FTP account control.

The phishers request the FTP credentials of the recipient, according to a Trusteer report.

"Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details," one message reads. "Please confirm your FTP details by using the link below."

Customers of at least 90 hosting providers are being targeted, Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, said in a blog post.

The attackers urge recipients to click on a link that leads them to a page that appears to belong to cPanel, asking them to reveal their FTP login information, Trusteer said. If they comply, the thieves use the stolen credentials to upload bank phishing pages to the victim sites. They then launch separate phishing scams dedicated to stealing bank login information.

"By stealing cPanel login credentials, criminals do not need to use hacking tools to upload content to a website, and therefore can avoid detection until after they have siphoned funds from consumer and business banking accounts," Trusteer CTO Amit Klein said in a statement.

Aaron Phillips, vice president of operations at cPanel, told SCMagazineUS.com that the company was aware of the phishing campaign, but declined to comment further.

A spokeswoman for Yahoo, one of the web-hosting companies whose name is being leveraged in the attacks, could not be reached.

The Trusteer report said companies that fall for the attack face website downtime, due to efforts by banks to have any phishing pages removed, as well as business and reputational harm if the sites are added to phishing blacklists.

This news comes on the heels of a Trusteer study released last week that found that roughly half of online banking customers who visit phishing sites give up their login details, which could cost banks millions each year. However, the number of people who surf to these sites is only about 1 out of 100.

The company based its findings on a sampling of users that run its browser security service.

See original article on scmagazineus.com