A new phishing attack attempts to steal Web hosting login credentials from Yahoo Inc. and other service providers.
Security researchers at Trusteer Inc. issued an advisory warning of the new phishing attack, which was detected last week. Customers who use content management systems run by Yahoo and other service providers are receiving phony emails that ask website owners to confirm their account information.
The phony emails ask for FTP account credentials and other sensitive data. Once the information is passed on to the cybercriminals, they use the stolen account data to set up fake website bank pages to steal funds.
Trusteer said in addition to FTP credentials, the email requests cPanel login information. CPanel is a popular content management system used to manage websites, including control FTP accounts. Once in control, the cybercriminals can upload content, including malicious code.
"Over the past few days, Trusteer's security monitoring service has detected a phishing email campaign targeting owners of cPanel-based sites at various hosting providers," the company said in its advisory.
Amit Klein CTO of Trusteer said cybercriminals have been using cPanel-based sites over the past several months to commit banking fraud. The cPanel and Yahoo hosted sites are smaller and get less traffic, but cybercriminals can control them for longer periods without being detected, Klein said.
"By stealing cPanel login credentials, criminals do not need to use hacking tools to upload content to a website, and therefore can avoid detection until after they have siphoned funds from consumer and business banking accounts," Klein said in a statement.
It is unclear where the phishing emails originate. The Trusteer advisory says researchers traced them back to a domain in the U.K. with an IP address that resolves in the Philippines.
In September researchers discovered attackers targeting Yahoo using automated brute force password attacks. The attackers targeted the webmail accounts of Yahoo and other services by bypassing the traditional Web login interface using automated scripts that cycle through common passwords and possible user names. The Web Application Security Consortium Distributed Open Proxy Honeypot project, maintained by researchers at Breach Security Inc., has been monitoring the attacks over the last several months.