Webmail Phishing

Jenolan

New Member
Although a simplistic attack, there are emails turning up that are supposedly being generated by Roundcube (ie the webmail client running in most WHM/DA systems).

The mail purports to be asking for verification of an email address being used within Roundcube, the link address visible shows as your VPS address as the text prompt but the actual link points to 'errormail.host' with your VPS address and some extra payload. Obviously I didn't go through what is behind this URI but it is likely it will ask for credentials to 'verify' you and most likely look like a Roundcube interface.

Just be aware ;) if you have people who use RC and may not be savvy it might be worth letting them know if they receive one of these it is bodgey.

Sample link (with my host changed to example.com)
HTML:
http://example.com.errormail.host/webmail/index.php?user=username@example.com
 
Thanks for the notice @Jenolan

I safely visited errormail.host and saw it brings up a namecheap "recently registered domain" notice, that very well may be entirely fake, but WHOIS did verify it is in fact registered with them. I submitted an abuse report, just in case they haven't already been made aware.

I've been stewing lately about actually sending a "test" pretend spoofed email and see how many of my customers fall for it so I know who to have a talk with.
 
Yes, at the moment it doesn't really seem to do anything but that doesn't mean it will stay safe.

It is depressing that the internet which is a wonder is so full of badness
 
Top