If you run a website or a blog, you probably use a cloud provider or a dedicated hosting company to manage your server and deliver the content to your readers, viewers and listeners.
We certainly do – both Naked Security and our sister site Sophos News are hosted by WordPress VIP.
That’s not a secret (nor is it meant to be), not least because most providers identify themselves in the HTTP headers they send back in their web replies, if only as a matter of courtesy:
$ getheaders https://news.sophos.com Connecting... OK. TLS handshake... OK. ---headers--- server: nginx date: Mon, 29 Jun 2020 10:21:21 GMT content-type: text/html; charset=UTF-8 content-length: 0 x-hacker: If you're reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header. x-powered-by: WordPress VIP host-header: e66d35b329a7c2cff66075eaf4530d13 x-redirect-by: WordPress location: /en-us/ age: 0 x-cache: miss strict-transport-security: max-age=31536000 ---headers---
Because your choice of hosting provider is usually easy enough for anyone to figure out, you probably already receive your fair share of spam from companies saying, “Hey, I see you use web provider X, and we just happen to have enormous expertise in that area, so why not contact us…”
…and we’re willing to bet that you have lots of reasons why not, including that you don’t much like receiving unsolicited emails trying to drum up business.
We certainly get our fair share of spams of that sort, typically saying they can help us switch providers, optimise our content, boost our Google ranking and so on.
But over the weekend we received a message that was a bit more believable than the rest.
This scam pretended to come from WordPress itself, and claimed that DNS security features would soon be added for our domain:
From: WordPress
Subject: nakedsecurity.sophos.com DNS Update
We’re upgrading your domain DNS for something even better, freely!
We care about your privacy and the protection of your domains, so we will soon be upgrading them, from basic Domain Name System (DNS) to Domain Name System Security Extensions (DNSSEC).
As you probably know, DNS is short for domain name system, and it’s the globally distributed database that turns server names that humans can remember, such as nakedsecurity.sophos.com
, into network numbers that computers can use, such as 203.0.113.171
.
And DNSSEC really exists – it’s a protocol that adds authentication to DNS data transfers to help stop cybercriminals filling the DNS database with bogus entries and thereby hijacking web traffic.
In fact, you’ve probably heard of DNSSEC, short for domain name system security extensions, because it’s been around for more than 20 years.
On the other hand, you’ve probably never set up DNSSEC or used it directly youself, because it has typically been a feature used by service providers to help to keep their own DNS databases intact when they exchange data with other DNS servers.
In other words, activating DNSSEC for the server names that your hosting provider looks after for you certainly sounds like a good idea.
So we can understand why some recipients of this scam might click through in order to learn more.
The landing page
The landing page of this scam is surprisingly believable, as you see here, which is what we received when we clicked through for our “free” DNSSEC upgrade:
The page claims to be an “Update Assistant”, with logos and icons that match your service provider, and it even has a How to use this assistant button that actually works:
Of course, the advice here is to put in your usual WordPress password – which is exactly the opposite of what you ought to be doing.
Any data you enter here goes straight to the crooks, and if you don’t have two-factor authentication enabled on your account, the crooks may very well be able to log on to your website or blog right away and take it over completely.
The scam then shows you some fake but believable progress messages to make you think that a genuine “site upgrade” has kicked off, including pretending to perform some sort of digital “file signing” at the end.
Here’s what we saw when we entered a bogus username and passwords on the phishing page:
As you can see, the crooks claim that you’ll be redirected to your own site at the end of the process, but instead you end up at a URL that includes the name of your site preceded by the name of the fake site set up by the crooks.
This produces a 404 error – what we can’t tell you is whether the crooks made a programming blunder and accidentally redirected you to https://[THEIRDOMAIN/your.example
instead of directly to https://your.example
…
…or whether they intended this all along, to avoid redirecting to you directly to your own login page, which might seem suspicious given that you put in your username and password already.
Auto-customising the page
The clickable links in the emails sent out in this spam campaign include all the data that crooks need to tailor the login page automatically.
The link we received looked like this:
https://[REDACTED].com/?banner=V29yZFByZXNz&url=bmFrZWRzZWN1cml0eS5zb3Bob3MuY29t
If you decode the base64 text used for banner and url, you get the following:
> base.unb64('V29yZFByZXNz') WordPress > base.unb64('bmFrZWRzZWN1cml0eS5zb3Bob3MuY29t') nakedsecurity.sophos.com
By simply encoding new banner names and new URLs, we were able to auto-customise the scam page, like this:
> base.b64('totally.bogus.example') dG90YWxseS5ib2d1cy5leGFtcGxl > base.b64('Microsoft Azure') TWljcm9zb2Z0IEF6dXJl > base.b64('www.example.com') d3d3LmV4YW1wbGUuY29t > base.b64('HostGator') SG9zdEdhdG9y // Below left: https://[REDACTED].com/?banner=TWljcm9zb2Z0IEF6dXJl&url=dG90YWxseS5ib2d1cy5leGFtcGxl // Right: https://[REDACTED].com/?banner=SG9zdEdhdG9y&url=d3d3LmV4YW1wbGUuY29t
We didn’t even need to guess at the banner names that we could use, because the crooks had left the image directory browsable on their phishing site:
[. . . . . .] [IMG] HostGator.png 25-Jun-2020 19:04 12k [IMG] HostGator_avatar.png 25-Jun-2020 19:06 12k [IMG] HostMonster.png 25-Jun-2020 20:15 12k [IMG] HostMonster_avatar.png 25-Jun-2020 20:17 4k [IMG] KonaKart.png 26-Jun-2020 01:50 16k [IMG] KonaKart_avatar.png 26-Jun-2020 01:50 8k [IMG] Linode.png 25-Jun-2020 19:07 12k [IMG] Linode_avatar.png 25-Jun-2020 19:09 8k [IMG] Magento.png 22-Nov-2018 19:29 12k [IMG] Magento_avatar.png 22-Nov-2018 19:32 8k [IMG] Microsoft Azure.png 25-Jun-2020 20:10 12k [IMG] Microsoft Azure_avatar.png 25-Jun-2020 20:11 4k [IMG] Name Cheap.png 25-Jun-2020 20:22 16k [IMG] Name Cheap_avatar.png 25-Jun-2020 20:23 8k [IMG] Network Solutions.png 25-Jun-2020 19:15 12k [. . . . . .]
In total, the crooks had 98 different ripped-off brand images ready to go, all the way from Akamai to Zen Cart.
What to do?
- Don’t login via links sent in email. If you receive an email that says you need to login to service X, and you do have an account with X, ignore any login links in the email itself. Find your own way to the login page (for example, bookmark it yourself), even if you think the email is genuine. That way you won’t fall for bogus links by mistake.
- Turn on 2FA whenever you can. 2FA is short for two-factor authentication, typically based on one-time codes that are sent to your phone or generated by a special app. 2FA makes your password alone much less useful to the crooks, just in case you ever do give it away by mistake.
- Consider a password manager. Password managers not only pick strong and random passwords automatically, but also associate each password with a specific URL. That makes it much harder to put the right password into the wrong site, because the password manager simply won’t know which account to use when faced with an unknown phishing site.
- Look for an anti-virus with live web filtering. Products such as Sophos Home (free for Windows and Mac) not only block malware from arriving onto your computer but also prevent web connections going out to risky sites in the first place, even if those sites themselves don’t actually contain malware.
K.G.H. NICHOLES
Wow. The most capable scammers get sneakier every week. So many of us are aware of security and try to stay informed, but are not expert enough to really evaluate the advice that’s out there. Including news from incoming emails, ha.
Anonymous
Who else has the urge to spam the crooks with invalid entries? Make it harder for them to find the proverbial needle in the haystack by piling on more hay as they search. I wonder if they have rate-limiting? 10000+ fake entries in a second should be easy enough. As a bonus, if enough people do it, potential DDoS.
Wilderness
I do.
Paul Littlefield
Your ‘getheaders’ command is interesting… I normally use curl or wget. What do you use for ‘getheaders’?
Paul Ducklin
It’s a small Lua script I wrote that does exactly what you see there (or reports an error), and no more.
As you say, curl and wget, if you have either or both, can easily be used to show headers, e.g. curl -I https://example.com or wget -S --spider https://example.com.
Magyver
Ooh, I love it when you guys talk scripty! :)
Aron Pacey
I am just wondering what support may web hosts provide in this regard? I mean why end user is open to threats like this.
Paul Ducklin
The problem here is that there’s not a lot a *web* hosting company can do to protect you from *email* scams… the problem here is that the email doesn’t come from your web host, it comes from someone claiming to be your web host, with a link that takes you to a fake login page – so see Tip 1 in our list of “What to do?”.
Dave
It would be cool to have IOC’s
Paul Ducklin
I hear you, but in this case [a] the domain we saw is still alive, [b] with the domain added as an IoC, it would just be too easy for some jokester to pester people by sending their “chums” emails based on the information here, and [c] there are doubtless other domains used by these scammers anyway.
So for the time being I’ll just leave you with the text as copied and pasted in the article – that’s probably as good a sign of this scam as the domain that was used, at least for the time being. HtH.
Yyzguy
“Freely!”
Poor English in the first sentence should be a red flag