Active Phishing campaign targeting multiple Hosting Providers.

[Jade @ Absolute Hosting]

Hello all,

Posting here for our clients and clients for other providers.

We are aware of an active phishing campaign being sent out to [email protected] recipients warning of suspension of services.
The links within the emails point to fake PayFast payment page which appears to have been created to capture credit card details.

So far we have identified that the campaign is targeting Absolute Hosting clients, Axxess clients and Elitehost - how ever this is not new and previous providers on the forum have reported the same over the last few weeks.

Based on the information that we have gathered so far we believe that the scammers are gathering domain name lists based on DNS servers owned and managed by each provider to obtain their lists.

As always be cautious and report phishing urls

 

[AfriNatic]

Hello all,

Posting here for our clients and clients for other providers.

We are aware of an active phishing campaign being sent out to [email protected] recipients warning of suspension of services.
The links within the emails point to fake PayFast payment page which appears to have been created to capture credit card details.

So far we have identified that the campaign is targeting Absolute Hosting clients, Axxess clients and Elitehost - how ever this is not new and previous providers on the forum have reported the same over the last few weeks.

Based on the information that we have gathered so far we believe that the scammers are gathering domain name lists based on DNS servers owned and managed by each provider to obtain their lists.

As always be cautious and report phishing urls

We are also fighting this scam.

Clients get an email saying their domain will expire and they need to pay. Link it to a fake site to phish clientzone details. Once they are in they change client details and signup for a bunch of cloud servers that start spamming and phishing again. Rinse and repeat.

The scammers are located in Morocco.

 

[Jade @ Absolute Hosting]

We are also fighting this scam.

Clients get an email saying their domain will expire and they need to pay. Link it to a fake site to phish clientzone details. Once they are in they change client details and signup for a bunch of cloud servers that start spamming and phishing again. Rinse and repeat.

The scammers are located in Morocco.

Sorry to hear of the issues and thanks for responding on here.

These lists are most definitely being compiled using name servers as we have found domains that are registered with external registrars, not using our services but only making use of our name servers via resellers on zadomains.net

The email was so badly composed that it had Elitehost's whmcs default footer in it, with Absolute Hosting Africa mentioned in it- sloppy scammers.

 

[AfriNatic]

Sorry to hear of the issues and thanks for responding on here.

These lists are most definitely being compiled using name servers as we have found domains that are registered with external registrars, not using our services but only making use of our name servers via resellers on zadomains.net

The email was so badly composed that it had Elitehost's whmcs default footer in it, with Absolute Hosting Africa mentioned in it- sloppy scammers.

Very sloppy indeed. Another tack tick they use with us is get access to clientzone by phishing credentials and OTP's then once they are in download invoices and use that account number on their phishing emails.

They also access history emails to see failed payment emails and copy the format to scam other clients.

We in Noc and Security have our hands full 24/7 with this.

 

[Jade @ Absolute Hosting]

Very sloppy indeed. Another tack tick they use with us is get access to clientzone by phishing credentials and OTP's then once they are in download invoices and use that account number on their phishing emails.

They also access history emails to see failed payment emails and copy the format to scam other clients.

We in Noc and Security have our hands full 24/7 with this.

2FA via SMS is a PITA and its so susceptible to various attack vectors, one of the reasons why we discontinued support for it in October and are still been sworn at by clients who are unable to get one of the time based token apps installed on their phones.

Essentially if a third party gets access to client zone / client service area then that party has almost full access to all services which is a major risk.

Have you guys considered disabling 2FA via SMS?

 

[neoprema]

Are any of your DNS servers allowing zone transfers? (i would hope not but just asking)

 

[Jade @ Absolute Hosting]

Are any of your DNS servers allowing zone transfers? (i would hope not but just asking)

Nope they arent but good idea