Phishing Wave to Sniff FTP Credentials

In a new wave of phishing attacks, Symantec has observed that attackers are targeting the FTP credentials of websites. The messages appear to come from various trusted Web hosting providers. So far we have observed that users of over 100 Web hosting providers are being targeted by this attack.

The attackers asks users to click on the link provided in the spam message, which will lead the users to open an “FTP access confirmation” page where the FTP credentials of the recipients are stolen. Attackers use a phishing cPanel page to do this (cPanel is Web hosting administration tool).

Some of the various subject lines observed are as follows:

Subject: for [hosting domain name] webhosting user
Subject: [hosting domain name] web hosting update
Subject: [hosting domain name] webhosting update
Subject: for [hosting domain name] web hosting user

The phishing URL contains a user’s email address and the domain name of a Web hosting service provider. Once FTP credentials are entered and submitted by clicking the “Confirm FTP Access” button, users are directed to their hosting site that is specified in a “service=” tag.

Example:

http://cpanel.[removed].me.uk/scripts/cpanel-ftp-confirmation.php?session=[removed]&email=[removed]&service=[hosting domain name]

Giving up FTP details may lead to a further loss of confidential data, the hosting of illegal websites (child pornography sites, phishing sites, etc.), and/or delivery of malware to the victim's computer by the attacker. Symantec advises users to ignore such emails and recommends having anti-spam and anti-fraud solutions installed with latest signatures to prevent sensitive information from being compromised.