By Dave Michmerhuizen – Research Scientist, Luis Chapetti – Security Researcher
When we examine malware here at Barracuda Labs, one thing we see over and over again are domains that have been compromised. Malware distribution points are often shut down within a day or two of their first appearance. Rather than go to the trouble of setting up servers only to see them quickly shut down, hackers just break into commercially hosted websites and set up a few extra pages and scripts ‘alongside' the content that is already there.
There are a number of ways of attacking websites; distributing keyloggers, mounting injection attacks and exploiting old vulnerable software components. All of those are a lot of work, so hackers fall back on a simpler approach – they email you and ask you for your password.
One attack we see regularly impersonates cPanel, a widely used web host control panel. Web hosting providers purchase this software and their customers use it to manage their website and domain. Their branding is prominently featured wherever it is used and many users come to identify cPanel as the interface to their website.
It's probably fitting that the attack is carried out from the compromised website of a canadian artist. The spammed link points to a page hosted there which prompts you for the information needed to take over the website
We filled in some dummy information and pressed “Login”. An examination of the network traffic shows our data sent back to the compromised host, there to be forwarded on to attackers elsewhere who could, if the entries were genuine, log into our website and use it to host more attacks or to distribute other sorts of malware.
Always check to see that you are logged into the domain or IP you would expect to see when doing website maintenance and never use emailed links to direct you to websites.