Phishing Attack (Hacker) Account Theft
Newest Cpanel Inc phishing e-mail I received under messagecenter@cpanel.net –
I didn’t attach the spoofed link because I don’t want others to accidently click it.
The login was actually to the phishing site (in part: gestalt.as/modules/mod_feed/cpanel) and these are the partial headers:
To: webmaster@<<redacted>>
Subject: Problem with DNS setup on host-name
X-PHP-Script: [multimedios.tv/redirect.php]Multimedios TV for 201.143.12.183
From: cPanel Inc <messagecenter@cpanel.net>
Dear Customer
Due to our security upgrade to avoid multiple logon and an unauthorized access to your online cpanel and FTP account we do require you to sign in your domain name and username and password for security check on your account and afterward we shall send a security code to your email as part of confirmation that your domain has now been properly verified and secured.
To process to confirm and verify your domain for this security check please click (spoofed link was here.)
Failure to confirm your domain within 2 business days may lead to suspension of your domain if we observe any unauthorized login and may lead to total removal of the domain name from our system.
Cpanel Management
Cpanel has been posted numerous times on here. One of the posts was an American Express phishing attack with the email address paymentalert@americanexpress.com ↔ nobody@fabian.tpa.kgix.net — for addition information, click https://scammer419.wordpress.com/2012/10/31/american-express/
Name/Email-Address: cPanel Inc <> messagecenter@cpanel.net <>
Subject: Your messages
Email: Dear Customer
Due to our security upgrade to avoid multiple logon and an unauthorized access to your online cpanel and FTP account we do require you to sign in your domain name and username and password for security check on your account and afterward we shall send a security code to your email as part of confirmation that your domain has now been properly verified and secured.
To process to confirm and verify your domain for this security check please click ______ ( Hacker/Scammer had spoofed link posted there. if you get any e-mails telling you to click a link and enter ANY kind of personal information, it is most likely a scam and by putting your mouse/arrow over the link, a URL will usually pop-up. Mine pops up in the left-hand corner and it showed a website titled “deckora(dot)com/images/cpanel.net” – if it was the REAL cpanel, it would say http://cpanel(dot)net/ )
Failure to confirm your domain within 2 business days may lead to suspension of your domain if we observe any unauthorized login and may lead to total removal of the domain name from our system.
Cpanel Management
HEADER TO FIRST EMAIL:
Return-Path: | <messagecenter@cpanel.net> | |
X-YahooFilteredBulk: | 50.23.15.231 | |
Received-SPF: | softfail (transitioning domain of cpanel.net does not designate 50.23.15.231 as permitted sender) | |
X-YMailISG: | cMDrjxwWLDuvrbIE_eElZQWeaKhuy_8WKGED.g.kwLYzqXlx CLUDk0OSnySX69rNNhIY2QgVRie8Umo655Umf2JBsPG.nRW9lJrFzlquFvXP z6f2J29hO8rvk_2ABL4MGTui6AT5wrNlnORUs4xFpB04hoZevp6e_S6dTzlr CLSczCGjthhyHII7r7W9EuUxPqSICDu6boeV7E21CqICssQCNchibDkNqI9P 8Xfc23G5HyljJRPtemGy44ZoQr5hWJjdUMy1LjPLfrsILzBiTfpCTRA5gtxi lcXNf94zWbopz5aAE8LuTpQj7UU0Mf7Ib0V.D0H4h6rlQclw_tPzd2n_SOcw hDugsEN7lmiRJsGlaNNP75zfYGSR1_iOdW8bgj5Jsh1N9GLseqdha1naH28E hCxDwW_lUV1OeQx05ayJ81iHBqWP.VaBUvvoNvUwrFlpguDjTp516kf05KQf onEWIdJ2aG0svIRAhvpenGi1Ksmu9Ol3Q95UFPq1SJiqQqhEh2TUWoXoyZQw O_rDAT9vI_EnJSV_vYwubw9Sd8HZY7gXqSmc9kPQV9E4Qs6tQ4FEHBQtM_8D FX5bDQlfUZQNxvNVKO5KFas.L2erCpohkgOXyf50rtsIH_iRvizCD7IbLIth djMPfCml8dxnV6pok1C4dfW_oGoA_z36LxXb5HaRT_kK4bpPLtrb96bdNUhU UrAyJC2iQsrxNR1pr6lhSqlfYcgypfS4KtJFcwQBSS9fJdLRdcSW.g82dl.c t..x6eydLSyxpchbJQc_3khN3C1HHESb.Wjb9R.8lDW.zt4Mh1hrJsmOmKkB ckQ1OKnaTzYXPWnHXTMo8NJ7Kz6gBxwzObdM170B1yamQTyxRuQZ3rR_KOUG SkpqMgy0w1FjVRWCzuqXcPb6g0rBzXq0G8s4XzQFeHYBaXVOo8wOELq2fT6S 7YMRuIiyGgphbsM30AdV8nrAP1z5BUZSY2KRusGf0k7rZ_q.P3CE2yZD4V3N .ugmcDPn0cx_JlH_3wWTgq6JN2FMjlpp6jUw7BuWsUDkEsPEUi9wBNDLzV0j ztKI_gYjIeBRclYhcqpRWQVUFtAFXPh5ItKKSQd1LR4gZFE6nDmP0_Ji1HeC jV3H0ej5IEMUBwdQzR3wHnHFo0zrFM6DOziASkrvbDI_8VAbtVBCoZXXMQTx HRnaScwxviiBPzAmaz6VfkpEWirJH0VllaYnWcAsY7M- | |
X-Originating-IP: | [50.23.15.231] | |
Authentication-Results: | mta1082.mail.ac4.yahoo.com from=cpanel.net; domainkeys=neutral (no sig); from=cpanel.net; dkim=neutral (no sig) | |
Received: | from 127.0.0.1 (EHLO str.stronghousefirm.com) (50.23.15.231) by mta1082.mail.ac4.yahoo.com with SMTP; Sun, 04 Nov 2012 16:37:24 -0800 | |
Received: | from [189.33.39.50] (port=63875 helo=kassie@firstcaremedical.net) by str.stronghousefirm.com with esmtpa (Exim 4.80) (envelope-from <messagecenter@cpanel.net>) id 1TTPPv-0007ut-Uy; Tue, 30 Oct 2012 22:56:36 -0500 | |
Reply-To: | <messagecenter@cpanel.net> | |
From: |
“cPanel Inc”<messagecenter@cpanel.net>
|
|
Subject: | Your messages | |
Date: | Wed, 31 Oct 2012 01:56:40 -0200 | |
MIME-Version: | 1.0 | |
Content-Type: | text/html; charset=”Windows-1251″ | |
Content-Transfer-Encoding: | 7bit | |
X-Priority: | 3 | |
X-MSMail-Priority: | Normal | |
X-Mailer: | Microsoft Outlook Express 6.00.2600.0000 | |
X-MimeOLE: | Produced By Microsoft MimeOLE V6.00.2600.0000 | |
X-AntiAbuse: | This header was added to track abuse, please include it with any abuse report | |
X-AntiAbuse: | Primary Hostname – str.stronghousefirm.com | |
X-AntiAbuse: | Original Domain – yahoo.com | |
X-AntiAbuse: | Originator/Caller UID/GID – [47 12] / [47 12] | |
X-AntiAbuse: | Sender Address Domain – cpanel.net | |
X-Source: | ||
X-Source-Args: | ||
X-Source-Dir: | ||
Content-Length: | 11867 |
HEADER TO UPDATED EMAIL:
Return-Path: | <messagecenter@cpanel.net> | |
X-YahooFilteredBulk: | 50.23.15.231 | |
Received-SPF: | softfail (transitioning domain of cpanel.net does not designate 50.23.15.231 as permitted sender) | |
X-YMailISG: | kUxyYr4WLDstjJptIfyRZwUj8cb_UDN3TksCAbW95.BtAEXu Yunj0JdtiAKPKHa3Pqmpi6zlXfS75g4glT29TFW5kC1DQ.lk6UUuC29z7JZn 1NqodXRZ2kxifA4nBxfqFF2j0Nt0NvQQa8LOzfYQRPGGpfMndMZAcFTbRAZq wo2aRrH6tft7bxWbkgKhS1SxgLI99FBPxocSYReDnHAnjlAtqI4v5Yj1UKkA VyoJx_0MCgrq8Dh0_PL59PkGYoRZz1CtOIk72dumoZPdg15euehU.PsSn5B6 BIjqgTF2uzlLgqzpNGhwDk_z_DK4wbKwjkqRGBka__L1Je.3ammvOILNXVtd IBnOnF6cPg8yGHmLmt.xcMOeC88txjldu7tjHnf_62FvSOVhP4XfGFTy6Hps m5CmaLxGrKqtcL_SDaCAZwAFdKaJE43PmdjPyBmH3I5zvMXpxCwX7GhFgxhf Jqoa4LNgtFbtcZiU6nYB.AWL6RuorETInHqzx8ut15wdEq4XrFBYOqIoEJgr FQr9BS_IsqIsfy6XbKECsZfRHLLvcCGNBaQaMkvCGfz64kJWlPYoqGorilM1 OG4vIBXdSx3xsss81z.klBT.SyGcqyzCfPAi6UMievDZa.Wcba.yE2Sv20dC LI.8MkQEgcU6ANgUZWZ8xzn.Bd6RM2KwlccXzhhfflMvPfEYhRqAvA0MAVuI 5g3Cu0pClEpkpdUtj8oOcAhxcWJ1.HlftI5TFuB8IppT7pSrmZJNvjqqSLYv IUjf1WhyxYNuTiLrDHBOI8KDf8YKiHfkhA_2Lplo2wM_4ciYj5issE9vbUoW 2lFMa0nzqwRIObcAE6IW8Apw5DfBI3Kjdizxt_zbrTyn5bZzGmLYam_ZFYgY 1am1qMp3PVL.CvT5X1WG.JMDTkuvFNqnpRIp8XCxUf3J.sFwdKRXKYX490e5 9qPzis9.kksoLrQChfi_1s6NRVG7m2e2kArXsRvIxxVi6ozo2wKJaTKXXh8s 5FPsfgFgcUo2asx3iqny8_c4xEUxzzokR8oqzwQcDu.Ucu3yK_gueFQhmQUP QeTFj0_HR4Gcv87P7ahf5JwBaRhyA8FiXLywU6OIa13LEvhIpgjDNp4v9.Xy reu8yhTGwNdyuGFp6QroALLPmuny57HWc.p5tFQVkxX5kdhNVxZCGfFEhO9z 5.YKTGBUSeHO76PXzEBsn5iXhI6NmuEevX_uvqQ.fL1vkQxDWvb_MstonCQ_ Rc5fnKy1ZxIHgYtcBg– | |
X-Originating-IP: | [50.23.15.231] | |
Authentication-Results: | mta1136.mail.mud.yahoo.com from=cpanel.net; domainkeys=neutral (no sig); from=cpanel.net; dkim=neutral (no sig) | |
Received: | from 127.0.0.1 (EHLO str.stronghousefirm.com) (50.23.15.231) by mta1136.mail.mud.yahoo.com with SMTP; Sun, 04 Nov 2012 14:23:09 -0800 | |
Received: | from [189.33.39.50] (port=60887 helo=kassie@firstcaremedical.net) by str.stronghousefirm.com with esmtpa (Exim 4.80) (envelope-from <messagecenter@cpanel.net>) id 1TTvHJ-00016T-Lk; Thu, 01 Nov 2012 08:57:50 -0500 | |
Reply-To: | <messagecenter@cpanel.net> | |
From: |
“cPanel Inc”<messagecenter@cpanel.net>
|
|
Subject: | Your messages | |
Date: | Thu, 1 Nov 2012 11:57:57 -0200 | |
MIME-Version: | 1.0 | |
Content-Type: | text/html; charset=”Windows-1251″ | |
Content-Transfer-Encoding: | 7bit | |
X-Priority: | 3 | |
X-MSMail-Priority: | Normal | |
X-Mailer: | Microsoft Outlook Express 6.00.2600.0000 | |
X-MimeOLE: | Produced By Microsoft MimeOLE V6.00.2600.0000 | |
X-AntiAbuse: | This header was added to track abuse, please include it with any abuse report | |
X-AntiAbuse: | Primary Hostname – str.stronghousefirm.com | |
X-AntiAbuse: | Original Domain – yahoo.com | |
X-AntiAbuse: | Originator/Caller UID/GID – [47 12] / [47 12] | |
X-AntiAbuse: | Sender Address Domain – cpanel.net | |
X-Source: | ||
X-Source-Args: | ||
X-Source-Dir: | ||
Content-Length: | 11867 |
cPanel Inc support@cpanel.net 108.165.22.246