Posts Tagged ‘BlueHost’

Another Bluehost Phishing Email

Saturday, September 2nd, 2017

Remember the previous Bluehost phishing attack I mentioned?

Today I got another one.

Here’s the raw source (with a few inserted line breaks to keep it from running into the righthand column).

Headers:

Message ID
Created at: Sat, Sep 2, 2017 at 12:50 AM (Delivered after 3 seconds)
From: Bluehost
To: lawrencepersonXXXXX@gmail.com
Subject: Request to reset your domain associated with this e-mail address
SPF: PASS with IP 74.220.222.232 Learn more

(XXXXX added to email address here and below to defeat spambot scrappers.)

Payload

Delivered-To: lawrencepersonXXXXX@gmail.com
Received: by 10.129.53.151 with SMTP id c145csp343693ywa;
Fri, 1 Sep 2017 22:54:47 -0700 (PDT)
X-Received: by 10.99.120.71 with SMTP id t68mr4941018pgc.177.1504331447706;
Fri, 01 Sep 2017 22:50:47 -0700 (PDT)
X-Google-Smtp-Source: ADKCNb5s73v956ds860PK1kR3YVGj/j+bLV2uYQNDDlbJ/kZIPjlLkqlSdvnwz3d/dZQs6C8Ug2m
X-Received: by 10.99.120.71 with SMTP id t68mr4941001pgc.177.1504331446972;
Fri, 01 Sep 2017 22:50:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1504331446; cv=none;
d=google.com; s=arc-20160816;
b=QOjWmOjsvjB9+8HswySoFQOQ4lsCvpPME27NN9zJfx8
gZofrql3IwevgfSp0e1Btxg
aIL8DmnXCGllyd8AvPrBrN/Ly3+iKtBxdbk3oua+d9vYBYOgYWcLW
+kMvQAcV81hB1El
PXLWVLUV78BXenGJMUIs0voePL345QIlDhjigRRvOYs4/cOFXhr/
0nE0A+F45lneFaUx
oG7oYSk3QBVJtvwWUd2z1ksn24R8kTgwWfFZGqVEUm6fji4tA6J1Qv
1IwL7GWDtmI/ab
pdU/Dh9cvT3lR2bDOFQaSje0NQuibGyFY3ouNGDdRygJIJKjldi
EoUsqxE1zCoCrfZU1
l+Dw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=date:message-id:cc:from:content-transfer-encoding:mime-version
:subject:to:arc-authentication-results;
bh=pAtFnsm7hK/sCRTeHL/WZ2Afvt74elEbNil2YQ/rHSk=;
b=t9vALxsoLpH2sKGGjbqvx/KAJOGJQaT/2qVFWCaNXJOybuHwoMGmaRh1
eP62jnkD5s
nQXOsgK3wQfj/l2Nq1tuA05l+FfQgRlLFSFs/4YKSjcrIveLp/ht/ergUZGv1ydawsDk
PdNYonJnmlykTW7HQxAhtRbbFP5dohfLGcGcdUmOsV6XjUZQK+
9agN78MxBBfFj33V7j
aUCkZ/BINSFb2Jt4IzOaQdnnVzoBwY8R1aLg0+GdVf26wZuYLBiN
hAXOJY1SVCjGrrwd
GiGw2eMbMyG5V1VjGlhJPx8Wan7eA/lXr+hrwnuEalFaGk66Ni8lV7
nADN9StIh7AyMp
aY7Q==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of doorsofv@box1175.bluehost.com designates 74.220.222.232 as permitted sender) smtp.mailfrom=doorsofv@box1175.bluehost.com
Return-Path:
Received: from outbound-ss-1849.hostmonster.com ([74.220.222.232])
by mx.google.com with ESMTPS id a2si1461087pll.210.2017.09.01.22.50.46
for
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 01 Sep 2017 22:50:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of doorsofv@box1175.bluehost.com designates 74.220.222.232 as permitted sender) client-ip=74.220.222.232;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of doorsofv@box1175.bluehost.com designates 74.220.222.232 as permitted sender) smtp.mailfrom=doorsofv@box1175.bluehost.com
Received: from cmgw2 (cmgw2.unifiedlayer.com [67.20.127.202]) by soproxy7.mail.unifiedlayer.com (Postfix) with ESMTP id 84A09215C39 for ; Fri,
1 Sep 2017 23:50:46 -0600 (MDT)
Received: from box1175.bluehost.com ([50.87.248.175]) by cmgw2 with id 4Vqj1w00l3no00q01Vqmx1; Fri, 01 Sep 2017 23:50:46 -0600
X-Authority-Analysis: v=2.2 cv=IspuSP3g c=1 sm=1 tr=0 a=ZGpYF3R9av1KVggUQYjyig==:117 a=ZGpYF3R9av1KVggUQYjyig==:17 a=IkcTkHD0fZMA:10 a=2JCJgTwv5E4A:10 a=eLEXLPMnAAAA:8 a=cNaOj0WVAAAA:8 a=3gznCMWBZ5u3K-Cr9X4A:9 a=8jPl8b1L-dkswZAf:21 a=7g7r5GJnjx26k2DO:21 a=L4Rp5h-_gRjJhvEI:21 a=QEXdDO2ut3YA:10 a=TnA9z4vs7e96t_Vj_DNd:22
Received: from doorsofv by box1175.bluehost.com with local (Exim 4.87) (envelope-from ) id 1do1KN-003TIa-D2 for lawrencepersonXXXXX@gmail.com; Fri, 01 Sep 2017 23:50:43 -0600
To: lawrencepersonXXXXX@gmail.com
Subject: Request to reset your domain associated with this e-mail address
X-PHP-Originating-Script: 1982:mail.php
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Bluehost
Cc:
Message-Id:
Date: Fri, 01 Sep 2017 23:50:43 -0600
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box1175.bluehost.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [1982 1982] / [47 12]
X-AntiAbuse: Sender Address Domain - box1175.bluehost.com
X-BWhitelist: no
X-Source-IP:
X-Exim-ID: 1do1KN-003TIa-D2
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender:
X-Source-Auth: doorsofv
X-Email-Count: 38
X-Source-Cap: ZG9vcnNvZnY7ZG9vcnNvZnY7Ym94MTE3NS5ibHVlaG9zdC5jb20=
X-Local-Domain: yes


=09

=09=09

=09=09=09

=09=09

=09=09

=09=09=09

=09=09

=09

3D'Bluehost'
=09=09=20
=09=09=09=09

=09=09=09=09We received a request to reset your domain associated with this=
e-mail address.

=09=09=09=09This request was generated by a user clicking the 'Domain Reset=
' link. If you want it to be reset, then you can safely ignore this message=
.
=09=09=09=09

=09=09=09=09

=09=09=09=09If you did not request to have your domain reset, or do not wan=
t it to be reset, please protect your domain. You can refuse this request a=
nd securely reset your password by clicking the link below:=20
=09=09=09=09

=09=09=09=09=20
=09=09=09=09

=09=09=09=09https://my.bluehost.com/web-hosting/password/
=09=09=09=09

=09=09=09=09=20
=09=09=09=09

=09=09=09=09Alternatively, you can copy and paste the link into your browse=
r's address window, or retype it there.
=09=09=09=09

=09=09=09=09=20
=09=09=09=09Thank you,
=09=09=09=09Bluehost Support
=09=09=09=09http://w=
ww.bluehost.com/

=09=09=09=09For support go to http://bluehost.com/help
=09=09=09


Interestingly, even though all of that is in a code tag, part of it (including the link) is still rendered. (I don’t need to tell you not to click that, do I?) I wonder if the 3D class stuff bypasses standard rendering layers.

Here’s the important segment (opening and closing greater than and less than signs omitted):

a href=3D'http://my.bluehost.pazencore.com/web-hosting/?q=3DbG=
F3cmVuY2VwZXJzb25AZ21haWwuY29tDQ=3D=3D' target=3D'_blank'>https://my.bluehost.com/web-hosting/password/

Here’s the whois registrant and admin contact for pazencore.com domain:

Name: EDOUARD VAN DE VELDE
Organization: EDOUARDVDV
Mailing Address: BAKKUMMERSTRAAT 37, CASTRICUM 1901 HJ NL
Phone: +31.0615954306
Ext:
Fax:
Fax Ext:
Email:EDOUARDVDV@HOTMAIL.COM

More interestingly, here’s the tech contact:

Tech Contact
Name: BLUEHOST INC
Organization: BLUEHOST.COM
Mailing Address: 550 E TIMPANOGOS PKWY, OREM UTAH 84097 US
Phone: +1.8017659400
Ext:
Fax: +1.8017651992
Fax Ext:
Email:WHOIS@BLUEHOST.COM

So here we have a Bluehost phishing scam being run from a Bluehost domain.

I think it’s time to have an interesting discussion with BlueHost support…

Attempted BlueHost Phishing Attack

Tuesday, May 16th, 2017

Just got this phishing attempt purporting to be a domain change notification.

Raw source (slightly edited to remove my email address, and with added line breaks to keep the block from spilling into my righthand links column):


Delivered-To: [my email address]
Received: by 10.129.168.138 with SMTP id f132csp137359ywh;
Tue, 16 May 2017 04:25:08 -0700 (PDT)
X-Received: by 10.25.145.78 with SMTP id y14mr3013524lfj.182.1494933668196;
Tue, 16 May 2017 04:21:08 -0700 (PDT)
X-Received: by 10.25.145.78 with SMTP id y14mr3013498lfj.182.1494933666719;
Tue, 16 May 2017 04:21:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1494933666; cv=none;
d=google.com; s=arc-20160816;
b=EkN54HW9eTyfd0jOfsRVNR0X/FcZbGItIa0uZOBR4HJp7/98oZ6n1B7FLmwrWmZrv4

5dDu5xxwEZUzXOGnickvxjN/j4xeYRwg4QRKcl1oGU/sN1/28cbmMhz+cPm/9IiocabJ

lbM3KY9yS06l8Tqks6NqCjYu37tBecVsdXCIDs97H8jlGMftPJtfHwSjp4NB8

Atmse85rgzAUDI3VQ0heJUNaej7eJ3iQZUoO4WUrE2a83+zL1RFIxhMy

xwuntOSRaMWqjkjUb0z pwB6DYLaFL6I4OBemO2fQ9KPAVSArN+W6yiD/

WTdHOH80EG6taU55R0BSe3v0Cm/JSjA

tGng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=date:message-id:content-transfer-encoding:mime-version:from:subject
:to:delivery-date:arc-authentication-results;

bh=3vPc/J8rnDJTfIYUKavWvnMr/

efHU9EsfJ+Vu6fidbs=;b=fgaxPBNn1/vQIC45obi02J30mqqvoJ8yrp

N9bGIHG2rvWt1Qmtxt4ik7dyARWJDqzvOQnNMHX+

4bC1fVD1qcmjntpe0fkMR8HbYywI8r3k3rZArnj79fVoWJX

wzb0akib3zyGGSFLS+nZ1fkCdPfmU96JmPYevKmB3l0v86yU/

aj2WqNE+Olvc6s14wuBXia8rzGtWtsLHIlm2zmqS2NFLNTv

CapcNPx8ZQvOQEA37pv6oRmlnz/XOg7Rwi4dIrzaAbtY8wv0sI/29

EjXFkxsVgvXKHIRVc685xWXYuYKATJGIzfccUNJaP/

TBuhLI7uS8uo7QBkm+B21jhl0x

AnNw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) smtp.mailfrom=cq99590@annika.timeweb.ru
Return-Path:
Received: from annika.timeweb.ru (annika.timeweb.ru. [2a03:6f00:1::5c35:605f])
by mx.google.com with ESMTPS id p5si688773lfp.49.2017.05.16.04.21.06
for
(version=TLS1_2 cipher=AES128-SHA bits=128/128);
Tue, 16 May 2017 04:21:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) client-ip=2a03:6f00:1::5c35:605f;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) smtp.mailfrom=cq99590@annika.timeweb.ru
Delivery-date: Tue, 16 May 2017 14:21:06 +0300
To: lawrenceperson@gmail.com
Subject: Domain: BATTLESWARMBLOG.COM. Warning 5946
From: Bluehost
X-Priority: 4 (Low)
Mime-Version: 1.0
X-Mailer: Php_libMail_v_2.0(webi.ru)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64
Message-Id:
Date: Tue, 16 May 2017 14:21:06 +0300

RGVhciBCbHVlaG9zdCBjdXN0b21lciBMQVdSRU5DRSBQRVJTT04s
DQoNClRoaXMgbm90aWZpY2F0aW9uIGlzIGdlbmVyYXRlZCBhdXRvb
WF0aWNhbGx5IGFzIGEgc2VydmljZSB0byB5b3UuDQpXZSBoYXZlI
HJlY2VpdmVkIGEgcmVxdWVzdCB0aGF0IHRoZSBuYW1lIHNlcnZlcn
MgYmUgY2hhbmdlZCBmb3IgdGhlIGZvbGxvd2luZyBkb21haW4gbm
FtZShzKToNCg0KQkFUVExFU1dBUk1CTE9HLkNPTQ0KDQpJZiB5b3U
gYXJlIG1vbml0b3JpbmcgdGhpcyBuYW1lIHdpdGggRG9tYWluIEJh
Y2tvcmRlcnMsIHRoZSBhYm92ZSBjaGFuZ2UgaXMgYWxzbyBkaXNwb
GF5ZWQgaW4gdGhlICJNb25pdG9yaW5nIGFuZCBCYWNrb3JkZXJpbm
ciIHNlY3Rpb24gb2YgeW91ciBBY2NvdW50IE1hbmFnZXIuDQoNCmh
0dHA6Ly9teS5ibHVlaG9zdC5jb20uNjczMjcxY2M0N2MxYTRlNzdm
NTdlMjM5ZWQ0ZDI4YTcuZm9vb3BlcnRvLmNsaWVudC5jb29wZXJ0a
W5vLXRlc3QucnUvZG9tYWluL2x4eHZrbWhtem8uaHRtDQoNClRo
YW5rIHlvdSwNCkJsdWVob3N0DQpUb2xsIEZyZWU6ICg4ODgpIDQw
MS00Njg4DQpPdXRzaWRlIFVTOiAxKyg4MDEpIDc1Ni05NTAw


And here’s the non-encoded message payload:


Dear Bluehost customer LAWRENCE PERSON,

This notification is generated automatically as a service to you.
We have received a request that the name servers be changed for the following domain name(s):

BATTLESWARMBLOG.COM

If you are monitoring this name with Domain Backorders, the above change is also displayed in the “Monitoring and Backordering” section of your Account Manager.

http://my.bluehost.com.673271cc47c1a4e77f57e239ed4d28a7.foooperto.
client.coopertino-test.ru/domain/lxxvkmhmzo.htm

Thank you,
Bluehost
Toll Free: (888) 401-4688
Outside US: 1+(801) 756-9500


Note the .ru address in the phishing link, and the phishing URL suggests this attempt is geared at Mac users.

I don’t think I was personally targeted, I think this was probably sent out to every BlueHost domain contact email address the spammers could target.

I’m posting this as a warning to other BlueHost domain owners (and, in fact, anyone else that has a hosted domain): 1. Don’t click suspicious email links. 2. When in doubt, every email link is suspicious. Log into your domain hosting control panel directly like your normally would and contact your hosting company that way.

This was a clumsy attempt. Additional phising attacks are likely to be more sophisticated. Let the blogger beware…

Administrative Note: Blog Back Up

Thursday, May 15th, 2014

This week I’ve been having some fairly heinous performance issues with the blog, as in “takes 30 second to a minute to load the dashboard” heinous. After some song and dance from BlueHost support (“CPU throttling! Chinese hackers!”), they took the server (and thus my blog) offline to resolve the issue.

Both server and blog are now back up, and things are generally better performance-wise (if still not exactly snappy).