Spearphishing Attacks Against Hostmonster Customers

I tend to see a lot of phishing emails. The message I received this morning caught my eye. It was fairly well crafted and obviously targeted. After searching the Internet, I found that some GoDaddy customers have received something similar. This seems to be making its way around the internet to website administrators. The most curious thing to me is how someone associated the email address with a Hostmonster account.

Phishing Email Message

Screen Shot 2015-11-18 at 6.58.02 AM

As can be seen above, the message read–

Your account contains more than 4035 directories and may pose a potential performance risk to the server. Please reduce the number of directories for your account to prevent possible account deactivation.

In order to prevent your account from being locked out we recommend that you create special temp directory.

The link goes to kct67<dot>ru.

Message headers also suggest a Russian origin–

Received: by 10.140.27.139 with SMTP id 11csp1084546qgx;
        Tue, 17 Nov 2015 20:25:39 -0800 (PST)
X-Received: by 10.25.161.211 with SMTP id k202mr1408853lfe.161.1447820739327;
        Tue, 17 Nov 2015 20:25:39 -0800 (PST)
Return-Path: <[email protected]>
Received: from bmx1.z8.ru (bmx1.z8.ru. [80.93.62.39])
        by mx.google.com with ESMTPS id xd10si580044lbb.198.2015.11.17.20.25.39
        for <[email protected]>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Tue, 17 Nov 2015 20:25:39 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 80.93.62.39 as permitted sender) client-ip=80.93.62.39;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates 80.93.62.39 as permitted sender) [email protected]
Received: from pike.intph ([10.13.29.0] helo=pike.z8.ru)
	by bmx1.z8.ru with esmtp (Exim 4.77 (FreeBSD))
	(envelope-from <[email protected]>)
	id 1ZyuJH-000K6k-JN
	for [email protected]; Wed, 18 Nov 2015 07:25:31 +0300
Received: (from [email protected])
	by pike.z8.ru (8.14.5/8.13.8/Submit) id tAI4P7lP079360;
	Wed, 18 Nov 2015 07:25:07 +0300 (MSK)
	(envelope-from qce)

My word of advice would be that site administrators exercise caution when opening messages from their hosting providers. In addition, it certainly makes sense to change applicable passwords on a regular basis.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Other. Bookmark the permalink.

One Response to Spearphishing Attacks Against Hostmonster Customers

  1. K says:

    I just got a similar message, and I, too, am an actual Hostmonster account owner.

Comments are closed.