Attackers are trying to trick web administrators into sharing their admin account login credentials by urging them to activate DNSSEC for their domain.
Scam emails lead to fake login pages
The scam was spotted by Sophos researchers, when the admin of their own security marketing blog received an email impersonating WordPress and urging them to click on a link to perform the activation (see screenshot above).
The link took them to a “surprisingly believable” phishing page with logos and icons that matched their service provider (WordPress VIP), and instructed them to enter their WordPress account username and password to start the update.
“The scam then shows you some fake but believable progress messages to make you think that a genuine ‘site upgrade’ has kicked off, including pretending to perform some sort of digital ‘file signing’ at the end,” Sophos’s security proselytiser Paul Ducklin explained.
Finally, either intentionally or by mistake, the victim is redirected to a 404 error page.
Customized phishing pages
The malicious link in the email contained encoded banner and URL information that allowed researchers (and attackers) to customize the scam phishing page with different logos, to impersonate numerous different hosting providers.
“We didn’t even need to guess at the banner names that we could use, because the crooks had left the image directory browsable on their phishing site. In total, the crooks had 98 different ripped-off brand images ready to go, all the way from Akamai to Zen Cart,” Ducklin noted.
The attackers check HTTP headers for information about the target’s hosting provider and customize the scam email and the phishing site accordingly:
Users who fall for the scam, enter their login credentials into the phishing site and don’t have 2-factor authentication turned on are effectively handing control of their site to the scammers.
Ducklin advises admins never to log in anywhere through links sent via email, to turn on 2FA whenever they can, and to use a password manager.
“Password managers not only pick strong and random passwords automatically, but also associate each password with a specific URL. That makes it much harder to put the right password into the wrong site, because the password manager simply won’t know which account to use when faced with an unknown phishing site,” he noted.