Recently we told you how hackers use alternative domain names provided by web hosts to make their URLs look less suspicious. This time we’ll show a similar trick used by phishers.
Phishing web pages get blacklisted very fast. That’s why hackers need to purchase many domains or compromise many websites so that they can point their phishing URLs to new domains every day. To make their campaigns more efficient, some phishers have identified a way to exploit poorly configured temporary URLs provided by some web hosts.
Insecure Temporary URLs
When you create a new account with a hosting provider, they often provide a special URL where you can test your site before you point your own domain name to the new server.
The temporary URLs usually look like this:
Where server-name is a web host’s own domain name, or IP address of the server, and username is the name of the user’s account, it’s all good. But some hosting providers (including some really big ones) don’t configure these temporary URLs properly. Instead of making them work only if you use a special server’s domain name or a naked IP address, some hosting providers allow the use of ANY domain name that resolves to the server’s IP address.
This is a really bad practice, as it allows hackers to do the following:
- Register (or hack) a cheap account on a shared server, e.g. baduser.
- Place malicious files in various subdirectories of the account, e.g. phish_dir.
- Compile a list of third-party sites hosted on the same server. On shared servers this usually means hundreds of domains, e.g. neighbor-site1. xyz, neighbor-site2. xyz, … neighbor-siteN. xyz.
- Because of the poor temporary URL configuration, they now can access their own malicious pages using third-party domains:
- neighbor-site1. xyz/~baduser/phish_dir/
- neighbor-site2. xyz/~baduser/phish_dir/
- neighbor-siteN. xyz/~baduser/phish_dir/
- As a result, one server account gives them hundreds of different domains for their malicious pages for free. They can frequently change the domains without disclosing the real location of the malicious files and without having to move their files to different places when the domains get blacklisted.
We see this happening in the wild.
Are You Affected?
The temporary URLs, if not configured properly, can be a source of real security problems even if your own site is not compromised. We have clients whose websites (as well as many other sites on the same server) were blacklisted because they shared the same server with a malicious user and their hosting provider didn’t restrict domain names that could be used for temporary URLs.
If your site is on a shared server, learn the format used for temporary URLs and check to see if you can open your site using your own domain name – http:// your-site-domain. com/~yourusername
On some servers you might need to also specify the site folder if you have several sites under the same account – http:// your-site-domain. com/~yourusername/your-site-directory/
If you managed to open your site using this technique – you’re in trouble. This means that your server is vulnerable to the attack described in this post. Contact your hosting provider immediately and ask them to fix the issue. If they refuse to do it, consider moving your site to a different hosting provider. Lastly, make sure to ask them if they allow temporary URLs under arbitrary domains before you move.