A friend of mine used to say, “fishing is a jerk at one of the line waiting for a jerk on the other end”.
We’ve been seeing many, many more phishing scams and here is our insight and our experiences.
Points covered in this post:
- Hackers are focusing on VPS and dedicated servers
- Why you should be concerned
- Why they want access to your VPS or dedicated server
- What can be done about it
Over the past 60 days, the number of phishing scams has drastically increased. With this we’ve also seen an enormous rise in the amount of spam being sent from VPS’s and dedicated servers.
Some of the servers we’ve removed malware from have had as many as 5 million messages in the email queue – most of them are phishing emails.
The subject lines vary but will typically be something like:
Your Apple ID was disabled: 23%
You have received a voice mail: 29%
I’ve shared a document
Important Doc file 27% (combined)
The rest were mostly focused on pharmaceuticals (viagra, levitra, cialis, etc.)
Why this is important
If you’re the owner of a VPS or dedicated server hosting websites, then this should concern you. You might think, “It’s an easy fix. I’ll restore all my sites from before the malware attack and I’ll have all my customers up in no time.”
A few negative points here for you:
- Your websites will be shut-down by your hosting provider
- Your domain(s) could be listed on phishtank.com
- Your IP address could be blacklisted by a number of SPAM blacklist sites
- Restoring files will not “close the hole” – the hackers will be back
- Your website(s) could drop in the search engine rankings
- Sites backlinking to your website(s) could remove their links – thereby lowering your search engine rankings
- Browsers could show a warning page before people try to visit your websites
Point 1 is temporary. Many hosting providers will deactivate your server until the issues are resolved – but most often you will suffer some downtime.
Point 2 may or may not cause you any issues. Some sites and browsers using the phishtank list block your site if you’re listed on there.
Point 3 is more severe if you’re hosting email for your websites on the same server. While many of the SPAM blacklists will remove your IP address or domain from their list quickly (sometimes within 10 – 15 minutes) others like Gmail will take weeks. Gmail doesn’t have a request process like Google does for websites. They monitor email coming from your IP address to their addresses for up to 4 weeks. If they don’t receive any other SPAM, then they’ll delist your IP address.
Point 4 we hear quite frequently. All this does is prolong the process of root cause analysis – how did this happen? Not to sound all “CSI” on you, but you could be writing over forensic information. Then it’s an educated guess as to how it happened.
Point 5 can be serious. Many of you spend large amounts of time getting your sites or your customer’s sites ranked highly for keywords. That will drop quickly if your website gets listed by one of the search engines for sending SPAM or hosting phishing files. Sometimes your rankings will return in about a week or so. However, if your server is infected again, the repeated drops will accumulate and it may take a lot more work to regain your search engine rankings.
Point 6 also affects your search engine rankings – backlinks. You spend a lot of time building up reputable backlinks. If the websites that link back to your site drop you, can you get them back? What will they need to know that your site or sites are safe again?
The last point, browsers showing a warning page, will usually go away within 24 to 48 hours after the infection has been removed and steps taken to secure the websites.
Possibly the best reason for you to be concerned is that anyone you know could fall victim to one of these phishing scams and lose their identity, lose their bank account balance or any number of potentially damaging events.
Why VPS and dedicated servers?
Why would hackers focus on VPS and dedicated servers? We believe the hackers know that these aren’t monitored by the hosting companies quite like the shared hosting accounts are. Some of the managed servers are, but many of people buying the VPS or dedicated server service don’t go with the managed offerings.
Hackers love VPS’s and dedicated servers because they have control over all the resources.
Some of the phishing sites we see are actually subdomains of a domain on the server. For instance, if you had a VPS with a website domain of xyz.com. The hackers could setup a subdomain of pplogin.xyz.com. Would you notice that?
Hackers could send out millions of SPAM emails from your server and you wouldn’t know until you started getting bounce-backs of emails that were blocked or were sent to non-existent email addresses. Or your hosting provider shuts you down or worse yet, your website customers start complaining.
Often times the reseller and shared hosting accounts are monitored by the hosting provider and those types of accounts don’t have the resources that a server (VPS or dedicated) has. That’s why hackers love VPS and dedicated servers.
What can done?
Prevention can take many paths. First, you can be certain that your server is not being used to send phishing SPAM. The second path is to reduce the amount of phishing SPAM your clients are subjected to. Next, make certain your server isn’t being used to distribute this phishing SPAM. Last, be diligent about the files on your server. Are any of them phishing files? If so, how did they get there?
One of the easiest steps to take is to make certain your SPF record is setup correctly. This works toward reducing the potential of hackers spoofing or forging one of your domains. Here’s our slideshare about this:
There are many ways to reconfigure SpamAssassin in your cPanel to reduce the amount of SPAM your webhosting customers are subjected to. If they don’t see as much SPAM, there’s a greater chance they won’t be fooled by any of it and fall victim to the phishing SPAM.
Have your email queue checked frequently. If you see a higher than normal amount of email being sent out, have it investigated to be sure it’s not SPAM.
Finally setup file integrity monitoring on your website files. You’ll want to be notified quickly if any phishing files have been uploaded to your server. You’ll not only want to be notified, but you’ll also want to know how it happened.
The external website scanners don’t see the phishing files because there is no link from the website to the phishing files. The only way sites like phishtank can find these phishing files is from the large volunteer network they have. These volunteers will collect the phishing SPAM emails and record the phishing URL and post it on phishtank.com.
It’s important that you focus on SPAM in general but definitely phishing files. A few steps, that require little time, can help you help others.
Education is the first step. Please share this with other VPS or dedicated server owners, web developers and others.
We all need to do our part to help make the Internet a safer place.