cPanel users are being targeted in a new phishing scam that uses a fake security advisory to trick them into giving up their credentials.
cPanel provides shared web hosting users with a Linux-based graphical user interface (GUI) and control panel which simplifies website and server management.
Recently cPanel and WebHost Manager (WHM) users reported that a targeted phishing campaign that used the subject line “cPanel Urgent Update Request” in its emails had appeared online. The fake security advisory was well-crafted and used language that made it really look as if it had come from the company itself.
In their advisory, the cybercriminals behind the targeted phishing attack warned that updates had been released to fix security concerns in cPanel and WHM versions 88.0.3+, 86.0.12+ and 78.0.49+.
Fake security advisory
At the bottom of their security advisory, the attackers explained why cPanel had not released an official statement on the security issues the updates addresses, saying:
“The cPanel Security Team identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time. Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues.”
To make their targeted phishing campaign appear more legitimate, the attackers also registered the domain ‘cpanel7831.com’ and used Amazon’s Simple Email Service (SES) to send out the emails to cPanel and WHM users.
If a user fell for the scam and clicked on the “Update your cPanel & WHM installations” button, they were bought to a website that prompted them to login using their cPanel credentials. Thankfully though, the phishing landing page has since been taken down and now redirects to a Google search for the keyword cPanel.
For those who did happen to fall victim to this scam, it is highly recommended that you log in to your web hosting provider and change the password on your account. Users should also perform a complete audit of their sites and look for any odd PHP files which can be used as backdoors.