This Is How Phishing Actors Move to Grab Hosting Provider Accounts

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The reason why phishing actors like to target user accounts on hosting provider websites is simple, really, and it’s to tap on the subsequent, actual targets - the precious domains that are under the control of the compromised account. From there, the hackers may link to other content, update the site through a web interface, change the FTP password and fiddle with the content management, and more.

According to Kaspersky, cybercriminals today typically do this to set up convincing phishing pages, using valid domains, real content, and only performing some minor additions like forms and data exfiltration scripts.

The process begins with the phishing email sent by the actors, which poses as a message from a hosting provider. There are no names or logos in there, so the crooks rely on the recipient’s panic.

The text informs them of a temporary blockage against accessing their accounts, supposedly because someone unsuccessfully attempted to log into it too many times. The rest of the generic info presented on the message body is taken from “WhoIs” services, and the goal is to trick the victim into following the link to the phishing site.

Source: Kaspersky

There, they will find a pretty unconvincing login page that looks as fake as it is. If the victimized account holder is still in panic mode, they will enter their credentials, card number and CVV, full name, billing address, and everything the actor needs to steal the domain.

All of this data is requested on the excuse that the account holder needs to verify themselves, their payment method, and their personal details, supposedly to confirm that it’s really that person, and give them the keys to the site back.

Source: Kaspersky

Whenever you receive emails that make claims of this kind, open a new tab, find the platform's official website through Google search and log in on that page. If any messages need your attention, you will see them on the alerts.

Never follow buttons or links arriving via email, and never act hastily. Finally, if you haven’t already activated 2FA to protect your account, go ahead and do it right away.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: