Analyzing a phishing email that targets cPanel users

I maintain a few websites where the hosting company uses cPanel to provide a graphical user interface (GUI) that allows me to easily manage all aspects of my sites. Today I got an email from cPanel that warned me about reaching the disk quota. This happened before, but something was fishy about the email, so I didn’t click on the provided links to fix the problem immediately…

It turns out that was a great decision, as the email was a phishing attack that wanted to steal my credentials. With my username and password, the attacker can log into cPanel and change my password, get shell access to the server or deface my site. They can also install malicious software into my site that can infect my visitors or create a file dump for illegal dark-web purposes.

After realizing what’s going on I immediately contacted my hosting provider to warn them about the suspicious activity. I also decided to write this blog post to help others recognize the scam too. I thought a lot whether I should redact the domain name on the phishing email or not, but as it is clearly linked to this blog, I see no reason to do so. I’m also not disclosing whether typing-speedtest.com has cPanel or not 🙂

Analyzing the fake email

First, let’s take a look at the fake email I received:

Let’s compare it to a real message I received for another website (heavily redacted this time):

What are the differences?

  • Sender email: In case of the real email the sender was cpanel@, while in the case of the fake it was no-reply@.
  • Quota warning: It was surprising to receive a quota warning with my business subscription. I was pretty sure that I have enough free space.
  • Language: The real email is mostly in my native language. The phishing email is fully English. I understand that this is not really useful as criteria to spot an attack if you are a native English speaker. For me, this was just one more thing that was suspicious based on my experience with my hosting provider.
  • Username in the subject and the message: In the real email, the quota warning is for my username, which is present both in the subject and the message. In the fake email, the quota warning is for the website.
  • Precise capacity in the quota: In the real email the quota usage is not only declared as a percentage but the actual used space is listed in MB.
  • Available files in the quota: In the real email, the number of used and available files are listed.
  • Direct link to Disk Capacity Tool: There is no such thing exactly in cPanel, still the fake email links to it.

What happens if you click the phishing link?

The second and third link in the fake email pose as a valid URLs to cPanel:

https://typing-speedtest.com:2083/?goto_app=DiskCapacity
https://typing-speedtest.com:2083/?goto_app=ContactInfo_Change

But they actually link to this URL:

https://agentacresofdiamonds.com/wp-content/plugins/wp-mail-smtp/vendor_prefixed/phpseclib/phpseclib/phpseclib/Crypt/Crypt.php?cp=https://typing-speedtest.com:2083/

I do not advise visiting a scammer’s website, but if you go to agentacresofdiamonds.com it is clear that it is a hurriedly tossed-together front for the hacking activities that are hidden on the hosting storage.

When you open the link, this is what you see:

Seems like a perfectly fine cPanel login window, doesn’t it. The funny thing is, that the URL is not what I clicked, but changed to this:

https://cpanel.webhostcent.com:2083/?cpsess7650153870=https://typing-speedtest.com:2083/

This is really interesting, as I checked out webhostcent.com and it seems to go to a real hosting company (Bluehost). Probably this is just another way to trick the user to believe that this is their cPanel login window.

Now the scary part: Chrome offered to auto-fill all my cPanel usernames and passwords on the fake login page…

What’s in the source?

You can check out the source of the fake page easily within your browser. Most of the code is just to show a perfect copy of the cPanel login page, but I found a few interesting tidbits here and there…

Get the provided username and password with javascript…
When the user tries to log in, wait a second and send the username and password to the hacker…

What to do?

Absolutely do not try to log in through the phishing site. You should also consider not clicking on links in emails that seem to originate from cPanel. You can always log in using your bookmarks or your hosting provider’s website.

You should also warn your hosting provieder. Maybe they will warn other users, maybe not…

Related Posts

Sorry, no similar posts found.

One thought on “Analyzing a phishing email that targets cPanel users

  1. Thanks for the write up !

    Got one of these this am, I was impressed by the cloaked addresses and wanted to know more about it.

Leave a Reply to Billy Cancel reply

Your email address will not be published. Required fields are marked *