Beware “secure DNS” scam targeting website owners and bloggers

If you run a website or a blog, you probably use a cloud provider or a dedicated hosting company to manage your server and deliver the content to your readers, viewers and listeners.
We certainly do – both Naked Security and our sister site Sophos News are hosted by WordPress VIP.
That’s not a secret (nor is it meant to be), not least because most providers identify themselves in the HTTP headers they send back in their web replies, if only as a matter of courtesy:

$ getheaders https://news.sophos.com
Connecting... OK.
TLS handshake... OK.
---headers---
server: nginx
date: Mon, 29 Jun 2020 10:21:21 GMT
content-type: text/html; charset=UTF-8
content-length: 0
x-hacker: If you're reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.
x-powered-by: WordPress VIP
host-header: e66d35b329a7c2cff66075eaf4530d13
x-redirect-by: WordPress
location: /en-us/
age: 0
x-cache: miss
strict-transport-security: max-age=31536000
---headers---

Because your choice of hosting provider is usually easy enough for anyone to figure out, you probably already receive your fair share of spam from companies saying, “Hey, I see you use web provider X, and we just happen to have enormous expertise in that area, so why not contact us…”
…and we’re willing to bet that you have lots of reasons why not, including that you don’t much like receiving unsolicited emails trying to drum up business.
We certainly get our fair share of spams of that sort, typically saying they can help us switch providers, optimise our content, boost our Google ranking and so on.
But over the weekend we received a message that was a bit more believable than the rest.
This scam pretended to come from WordPress itself, and claimed that DNS security features would soon be added for our domain:

From: WordPress
Subject: nakedsecurity.sophos.com DNS Update
We’re upgrading your domain DNS for something even better, freely!
We care about your privacy and the protection of your domains, so we will soon be upgrading them, from basic Domain Name System (DNS) to Domain Name System Security Extensions (DNSSEC).

As you probably know, DNS is short for domain name system, and it’s the globally distributed database that turns server names that humans can remember, such as nakedsecurity.sophos.com, into network numbers that computers can use, such as 203.0.113.171.
And DNSSEC really exists – it’s a protocol that adds authentication to DNS data transfers to help stop cybercriminals filling the DNS database with bogus entries and thereby hijacking web traffic.
In fact, you’ve probably heard of DNSSEC, short for domain name system security extensions, because it’s been around for more than 20 years.
On the other hand, you’ve probably never set up DNSSEC or used it directly youself, because it has typically been a feature used by service providers to help to keep their own DNS databases intact when they exchange data with other DNS servers.
In other words, activating DNSSEC for the server names that your hosting provider looks after for you certainly sounds like a good idea.
So we can understand why some recipients of this scam might click through in order to learn more.

The landing page

The landing page of this scam is surprisingly believable, as you see here, which is what we received when we clicked through for our “free” DNSSEC upgrade:

The page claims to be an “Update Assistant”, with logos and icons that match your service provider, and it even has a How to use this assistant button that actually works:

Of course, the advice here is to put in your usual WordPress password – which is exactly the opposite of what you ought to be doing.
Any data you enter here goes straight to the crooks, and if you don’t have two-factor authentication enabled on your account, the crooks may very well be able to log on to your website or blog right away and take it over completely.
The scam then shows you some fake but believable progress messages to make you think that a genuine “site upgrade” has kicked off, including pretending to perform some sort of digital “file signing” at the end.
Here’s what we saw when we entered a bogus username and passwords on the phishing page:

As you can see, the crooks claim that you’ll be redirected to your own site at the end of the process, but instead you end up at a URL that includes the name of your site preceded by the name of the fake site set up by the crooks.
This produces a 404 error – what we can’t tell you is whether the crooks made a programming blunder and accidentally redirected you to https://[THEIRDOMAIN/your.example instead of directly to https://your.example…
…or whether they intended this all along, to avoid redirecting to you directly to your own login page, which might seem suspicious given that you put in your username and password already.

Auto-customising the page

The clickable links in the emails sent out in this spam campaign include all the data that crooks need to tailor the login page automatically.
The link we received looked like this:

https://[REDACTED].com/?banner=V29yZFByZXNz&url=bmFrZWRzZWN1cml0eS5zb3Bob3MuY29t

If you decode the base64 text used for banner and url, you get the following:

> base.unb64('V29yZFByZXNz')
WordPress
> base.unb64('bmFrZWRzZWN1cml0eS5zb3Bob3MuY29t')
nakedsecurity.sophos.com

By simply encoding new banner names and new URLs, we were able to auto-customise the scam page, like this:

> base.b64('totally.bogus.example')
dG90YWxseS5ib2d1cy5leGFtcGxl
> base.b64('Microsoft Azure')
TWljcm9zb2Z0IEF6dXJl
> base.b64('www.example.com')
d3d3LmV4YW1wbGUuY29t
> base.b64('HostGator')
SG9zdEdhdG9y
// Below left: https://[REDACTED].com/?banner=TWljcm9zb2Z0IEF6dXJl&url=dG90YWxseS5ib2d1cy5leGFtcGxl
// Right:      https://[REDACTED].com/?banner=SG9zdEdhdG9y&url=d3d3LmV4YW1wbGUuY29t

We didn’t even need to guess at the banner names that we could use, because the crooks had left the image directory browsable on their phishing site:

[. . . . . .]
[IMG] HostGator.png                     25-Jun-2020 19:04      12k
[IMG] HostGator_avatar.png              25-Jun-2020 19:06      12k
[IMG] HostMonster.png                   25-Jun-2020 20:15      12k
[IMG] HostMonster_avatar.png            25-Jun-2020 20:17       4k
[IMG] KonaKart.png                      26-Jun-2020 01:50      16k
[IMG] KonaKart_avatar.png               26-Jun-2020 01:50       8k
[IMG] Linode.png                        25-Jun-2020 19:07      12k
[IMG] Linode_avatar.png                 25-Jun-2020 19:09       8k
[IMG] Magento.png                       22-Nov-2018 19:29      12k
[IMG] Magento_avatar.png                22-Nov-2018 19:32       8k
[IMG] Microsoft Azure.png               25-Jun-2020 20:10      12k
[IMG] Microsoft Azure_avatar.png        25-Jun-2020 20:11       4k
[IMG] Name Cheap.png                    25-Jun-2020 20:22      16k
[IMG] Name Cheap_avatar.png             25-Jun-2020 20:23       8k
[IMG] Network Solutions.png             25-Jun-2020 19:15      12k
[. . . . . .]

In total, the crooks had 98 different ripped-off brand images ready to go, all the way from Akamai to Zen Cart.

What to do?

• Don’t login via links sent in email. If you receive an email that says you need to login to service X, and you do have an account with X, ignore any login links in the email itself. Find your own way to the login page (for example, bookmark it yourself), even if you think the email is genuine. That way you won’t fall for bogus links by mistake.
• Turn on 2FA whenever you can. 2FA is short for two-factor authentication, typically based on one-time codes that are sent to your phone or generated by a special app. 2FA makes your password alone much less useful to the crooks, just in case you ever do give it away by mistake.
• Consider a password manager. Password managers not only pick strong and random passwords automatically, but also associate each password with a specific URL. That makes it much harder to put the right password into the wrong site, because the password manager simply won’t know which account to use when faced with an unknown phishing site.
• Look for an anti-virus with live web filtering. Products such as Sophos Home (free for Windows and Mac) not only block malware from arriving onto your computer but also prevent web connections going out to risky sites in the first place, even if those sites themselves don’t actually contain malware.

---