Cyber criminals will often use scare tactics to prod their victims into interacting with their phishing links and malicious programs. In this particular case which we are about to go through, hosting provider accounts were targeted with fake urgency inciting emails. This hosting provider phishing scam is telling of how some hackers keep relying on traditional and age-old methods of phishing, and yet are able to claim victims.
The phishing scheme used
The email came to the victim’s inbox through a spoofed email ID. The email contained a message which warned the user that their account was being used to renew a domain from the hosting provider. The hosting provider deemed this ‘renewal activity’ to be suspicious and so temporarily suspended the victim’s hosting account. The email contains some details of a bogus transaction, and concludes with a button. By clicking this button, the victim would be taken to a fake login form. The email promises the user that once he logs in, the account suspension will be removed.
Analysing the phishing scam
Following is the snap of the phishing email:
Let us first take a look at all the tell-tale signs of a phishing scam in the email body. First of all, the email begins with a generic “Dear customer” salutation. If the hosting provider was used to sending emails to their clientele, they would likely be doing it with a first name salutation. This becomes especially important when the email is specially about renewals, payment or account updates and not a general mass communication. This itself is a sign of a mass phishing attempt.
Next, the email is full of typos and mistakes. Take a look at: “… a possibility That someone other than you is trying to log in.” The button at the bottom also has the wrong capitalization, or rather, no capitalization. Any self-respecting organization with a brand to protect will think twice before making silly mistakes like this pass through to its customers.
Moreover, the email does not have any email template containing the hosting provider’s branding or logo. The sender’s name also appears only once, in the from section of the email. Further, the name doesn’t even match the mail:from address, which is a big no-no.
Now, if someone does click on the phishing button, they land up on a thoroughly unconvincing login page. Here too, the branding is off. The form also asks for financial information, which is out of place with the ruse that the hackers are using. Why would you need to fill out your financial details to unlock your account?
But because the victim is already in a panicked state, these warning signs are overlooked. Once the victim enters the credentials, they are ceding control to their full website, which is no small reward for the hackers.
How to prevent this hosting provider phishing scam and others
- Be Alert. Don’t respond to any email in a panicked / excited state of mind.
- Take a close look at the email details, the email body, and the wording. If you feel suspicious activity is afoot, do not act on the email.
- Call the vendor and verify the communication that you have received.
- Check the ‘From’ address of the email.
We didn’t identify the red flags in the above scam quickly just because we are in the security industry. We did so because of years of staying up to date with such phishing tricks and hacking attempts. Anybody else can do so, even if they are not from the technology or cyber security industry.
For further resources, read our blog on preventing phishing scams by understanding hacker mindsets.