Spear Phishing spam is targeting Bluehost customers
February 2, 2015
Prologue
This article is about what is known in the spam fighting trade as a "spear phishing" scam. That means that the message has been custom researched written to target a particular person by name, whom the spammers deem to be important to their evil goals. While my experience deals with Bluehost, if you own a website hosted by another major web hosting company, you may receive a similar email scam message.
The email in question was lingering in the Spam folder of my Gmail account. This is just E Pluribus Unum of the email accounts I use. When I first read the Subject and From lines I thought it might possibly be a legitimate message that got sent to the Spam folder by accident. I was wrong and Gmail was right!
I actually first saw the scam email on my Android smartphone. Although it seemed mildly plausible, some things about the body text aroused my suspicion and raised my bullshit detectors to full height. I will post the contents in my extended content and explain each item that should arouse your suspicion if you receive a similar email message.
The Hook:
From: Bluehost <[email protected]>
Subject: Status Alert: Code: 2502
Body text:
If you viewed an email message like that on your phone you would see the blue underlined link text that appears to point to an account on Bluehost.com. Actual computer users viewing this message in their browser or email client can simply hover their mouse pointer over links in email messages and the actual URL will be displayed in a Status Bar on the bottom of the browser.
Dear Valued Bluehost Customer (My actual first and last names here!).<!--bhuzxuwtbw-->Your account contains more than 9191 directories and may pose a potential performance risk to the server.
Please reduce the number of directories for your account to prevent possible account deactivation.In order to prevent your account from being locked out we <special> recommend that you create special</special> tmp directory.
Or use the link below:
https://my.bluehost.com/tmp.php?doit=dfc7defac6624a80f02b02e22b14e8fd
Thank you,
Bluehost
Toll Free: (888) 401-4678
Outside US: 1 (801) 765-9400
Android and Apple smartphones do not support hovering codes at all. But, I have learned that pressing and holding down a hyperlink in an email message (in the Gmail App) causes an action box to open, rather than launching the link in your default web browser. This box plainly showed the hidden poisoned link on the top. It did not lead to Bluehost at all, but rather, to a Russian domain (.ru) that was hosting a Phishing login page for Bluehost customers. The "Press and Hold" link readout function saved me from visiting a fake login page where my credentials for my hosting account would have been stolen by Russian hackers. They would have then taken over my website on Bluehost and installed malware and phishing pages of their choosing.
I dismissed the spam message and closed the Gmail app on my phone. I then opened Gmail in Firefox, on my Windows 7 PC. I went to the spam folder and found that message in the list, then using the down-arrow on the right, chose the drop-down option labeled: "Show original." This opened the message in "source code" mode, in a new tab, where you can plainly read all of the normally hidden "Headers". The Header Source code revealed the following alarming facts:
- Return-Path: <[email protected]>
- Received: from mx8.valuehost.ru (mx9.valuehost.ru. [217.112.42.217])
- More Received headers showing the Russian domain valuehost.ru
- Message-Id: <[email protected]>
- Not one header normally associated with Bluehost.com was to be found
Next, let's look at the tricks and mistakes in the Body text.
<!--bhuzxuwtbw--> right after my actual personal name. This is hidden from the email client in normal view. It is a tracking ID associated with this spear phishing attack.
Your account contains more than 9191 directories and may pose a potential performance risk to the server. That is pure bullshit. You can have as many directories as you want, as long as they are under your "public_html" or similarly named web root directory.
Please reduce the number of directories for your account to prevent possible account deactivation. Again, this is a bullshit warning about a non-problem. If you actually are doing or hosting anything harmful to the server, your account will be temporarily suspended with a notice to call Bluehost support.
In order to prevent your account from being locked out we <special> recommend that you create special</special> tmp directory. Note the bad grammar used in this fake recommendation. Further, there is no such HTML tag as "<special>."
<a href=http://mechtarebenka.ru/includes/data/bhuzxuwtbw.php?bhuzxuwtbw=dfc7defac6624a80f02b02e22b14e8fd>
https://my.bluehost.com/tmp.php?doit=dfc7defac6624a80f02b02e22b14e8fd </a>
In the example above, the first italicized part is the poisoned link leading to a compromised Russian domain (.ru). The underlined portion is what they wanted me to see as the link. The spammers were not expecting their potential victims to be aware of how to reveal the actual hidden URL before clicking on it. If the "domain names" (.com, .net, .org, etc) in the visible link (aka, Anchor Text) and the (hovered, or pressed and held readout) actual encoded URL don't match, it is a scam link, or worse.
Note that the spammers even included phone numbers to contact the hosting company, Bluehost. If you receive a suspicious email message like this, use one of those numbers and ask your host if they actually sent that message; they most likely didn't. If you get a wrong number, hang up and be thankful you didn't click through.
Epilogue
The spammers went to some trouble to find the name associated with my hosting account on Bluehost and tie them together in a spear phishing scam. I reported that scam to Spamcop, with whom I have been a long time spam reporting member. Filing reports with Spamcop (promptly) helps to inform the proper authorities about illegal activities on compromised websites and to identify infected computers or handheld devices that are being used to send or relay spam and scams.
Learn how to press and hold down links on your smartphone to display the destination without going to it automatically. When you read email on your PC, hover the mouse pointer over links and look at the bottom of the browser, or desktop email client, for a Status Bar readout of the actual destination URL. If your browser or email client does not show a Status bar, search through all display options for the option to display a Status bar, or to automatically show status when you hover over links. Those displays show and hide their status, as you hover, or move away from, or click on links.
How to protect your email client from spam, scams and malware threats.
Shameless ad for MailWasher Pro. I do not download any email to my desktop email client until first screening it for threats with MailWasher Pro. Read the details on my MailWasher Pro page. I even compose and publish custom spam filters for MailWasher Pro users.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.