In recent weeks, clients of several hosting companies have been the victim of phishing attacks that aim to steal their login credentials in order to hijack sites. In this article I’m going to take a look at what a phishing attack involves and how web hosting clients can protect themselves.
What Is A Phishing Attack?
In a phishing attack, an attacker will communicate with the victim under the guise of a trusted third party in an attempt to trick the victim into revealing private information. The paradigmatic example of a phishing attack is an attempt to harvest banking details from unsuspecting customers. To do this, attackers will create an email that closely resembles genuine emails from the bank, with the right branding and design. The email will use a pretext to influence the customer to click on a link — for example, the email might claim that there has been a security breach and ask customers to log in to their account to verify their account details.
The link in the email will not lead to the bank’s site, but to a site designed by the hackers to look like the bank site, complete with a login page. When the customer enters their log-in data, they have revealed their authentication credentials to the attacker, who can then sell them or use them to access the account.
In a recent attack, GoDaddy clients were sent an email that purported to be from the hosting company. A number of customers used their log-in credentials on the fake site, and consequently, their hosted sites were hijacked.
Hackers use this method because it’s much more efficient than brute force attacks or other methods of finding a vulnerability. They employ social engineering to influence a customer to simply hand over their authentication details.
How To Spot A Phishing Attack
Some phishing attacks are poorly executed and obviously spotted. If you get an email from your hosting company that is full of spelling and grammar errors, or that makes alarmist threats about security, the chances are that it’s not genuine.
But some phishers are very sophisticated and it is essentially impossible to tell the difference between a fake and genuine email just by looking at it.
However smart the phishers are though, they don’t have access to the hosting company’s domain. So, let’s say the hosting company is ExampleHosting and they use the domain name examplehosting.com. The attacker does not control this domain, so they can’t host the phishing page there. When you get an email with a link in it, make sure that the destination domain name is what you expect it to be. In our example, if the domain in the email is egzamplehosting.com, that’s a clear indication that it isn’t genuine.
This can sometimes be confusing because people don’t understand how domain names work. Take “http://client.examplehosting.com”. From right-to-left, we have the top-level domain (.com), this should match with the domain the hosting company normally uses. Next is the domain specific to the company in question — this should be identical to the domain name you know your hosting company uses. Don’t be fooled by changes of one letter. Next, is the subdomain(“client” in this case, but often “www”). The subdomain can be different to the domain on the company’s main site, so a different subdomain to the one you are expecting doesn’t indicate a spurious email if the main domain is correct.
The essential lesson to learn here is that if you’re at all suspicious, do not use a link in an email from your hosting provider. Instead navigate to their home page via Google or by entering the domain name in the address bar of your browser, and log in there.
About Rachel Gillevet
Rachel is the technical writer for WiredTree, a leader in fully managed dedicated and vps hosting. Follow Rachel and WiredTree on Twitter, @wiredtree, Like them on Facebook and check out more of their articles on their web hosting blog, http://www.wiredtree.com/blog.