Attempted BlueHost Phishing Attack

Just got this phishing attempt purporting to be a domain change notification.

Raw source (slightly edited to remove my email address, and with added line breaks to keep the block from spilling into my righthand links column):


Delivered-To: [my email address]
Received: by 10.129.168.138 with SMTP id f132csp137359ywh;
Tue, 16 May 2017 04:25:08 -0700 (PDT)
X-Received: by 10.25.145.78 with SMTP id y14mr3013524lfj.182.1494933668196;
Tue, 16 May 2017 04:21:08 -0700 (PDT)
X-Received: by 10.25.145.78 with SMTP id y14mr3013498lfj.182.1494933666719;
Tue, 16 May 2017 04:21:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1494933666; cv=none;
d=google.com; s=arc-20160816;
b=EkN54HW9eTyfd0jOfsRVNR0X/FcZbGItIa0uZOBR4HJp7/98oZ6n1B7FLmwrWmZrv4

5dDu5xxwEZUzXOGnickvxjN/j4xeYRwg4QRKcl1oGU/sN1/28cbmMhz+cPm/9IiocabJ

lbM3KY9yS06l8Tqks6NqCjYu37tBecVsdXCIDs97H8jlGMftPJtfHwSjp4NB8

Atmse85rgzAUDI3VQ0heJUNaej7eJ3iQZUoO4WUrE2a83+zL1RFIxhMy

xwuntOSRaMWqjkjUb0z pwB6DYLaFL6I4OBemO2fQ9KPAVSArN+W6yiD/

WTdHOH80EG6taU55R0BSe3v0Cm/JSjA

tGng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=date:message-id:content-transfer-encoding:mime-version:from:subject
:to:delivery-date:arc-authentication-results;

bh=3vPc/J8rnDJTfIYUKavWvnMr/

efHU9EsfJ+Vu6fidbs=;b=fgaxPBNn1/vQIC45obi02J30mqqvoJ8yrp

N9bGIHG2rvWt1Qmtxt4ik7dyARWJDqzvOQnNMHX+

4bC1fVD1qcmjntpe0fkMR8HbYywI8r3k3rZArnj79fVoWJX

wzb0akib3zyGGSFLS+nZ1fkCdPfmU96JmPYevKmB3l0v86yU/

aj2WqNE+Olvc6s14wuBXia8rzGtWtsLHIlm2zmqS2NFLNTv

CapcNPx8ZQvOQEA37pv6oRmlnz/XOg7Rwi4dIrzaAbtY8wv0sI/29

EjXFkxsVgvXKHIRVc685xWXYuYKATJGIzfccUNJaP/

TBuhLI7uS8uo7QBkm+B21jhl0x

AnNw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) smtp.mailfrom=cq99590@annika.timeweb.ru
Return-Path:
Received: from annika.timeweb.ru (annika.timeweb.ru. [2a03:6f00:1::5c35:605f])
by mx.google.com with ESMTPS id p5si688773lfp.49.2017.05.16.04.21.06
for
(version=TLS1_2 cipher=AES128-SHA bits=128/128);
Tue, 16 May 2017 04:21:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) client-ip=2a03:6f00:1::5c35:605f;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) smtp.mailfrom=cq99590@annika.timeweb.ru
Delivery-date: Tue, 16 May 2017 14:21:06 +0300
To: lawrenceperson@gmail.com
Subject: Domain: BATTLESWARMBLOG.COM. Warning 5946
From: Bluehost
X-Priority: 4 (Low)
Mime-Version: 1.0
X-Mailer: Php_libMail_v_2.0(webi.ru)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64
Message-Id:
Date: Tue, 16 May 2017 14:21:06 +0300

RGVhciBCbHVlaG9zdCBjdXN0b21lciBMQVdSRU5DRSBQRVJTT04s
DQoNClRoaXMgbm90aWZpY2F0aW9uIGlzIGdlbmVyYXRlZCBhdXRvb
WF0aWNhbGx5IGFzIGEgc2VydmljZSB0byB5b3UuDQpXZSBoYXZlI
HJlY2VpdmVkIGEgcmVxdWVzdCB0aGF0IHRoZSBuYW1lIHNlcnZlcn
MgYmUgY2hhbmdlZCBmb3IgdGhlIGZvbGxvd2luZyBkb21haW4gbm
FtZShzKToNCg0KQkFUVExFU1dBUk1CTE9HLkNPTQ0KDQpJZiB5b3U
gYXJlIG1vbml0b3JpbmcgdGhpcyBuYW1lIHdpdGggRG9tYWluIEJh
Y2tvcmRlcnMsIHRoZSBhYm92ZSBjaGFuZ2UgaXMgYWxzbyBkaXNwb
GF5ZWQgaW4gdGhlICJNb25pdG9yaW5nIGFuZCBCYWNrb3JkZXJpbm
ciIHNlY3Rpb24gb2YgeW91ciBBY2NvdW50IE1hbmFnZXIuDQoNCmh
0dHA6Ly9teS5ibHVlaG9zdC5jb20uNjczMjcxY2M0N2MxYTRlNzdm
NTdlMjM5ZWQ0ZDI4YTcuZm9vb3BlcnRvLmNsaWVudC5jb29wZXJ0a
W5vLXRlc3QucnUvZG9tYWluL2x4eHZrbWhtem8uaHRtDQoNClRo
YW5rIHlvdSwNCkJsdWVob3N0DQpUb2xsIEZyZWU6ICg4ODgpIDQw
MS00Njg4DQpPdXRzaWRlIFVTOiAxKyg4MDEpIDc1Ni05NTAw


And here’s the non-encoded message payload:


Dear Bluehost customer LAWRENCE PERSON,

This notification is generated automatically as a service to you.
We have received a request that the name servers be changed for the following domain name(s):

BATTLESWARMBLOG.COM

If you are monitoring this name with Domain Backorders, the above change is also displayed in the “Monitoring and Backordering” section of your Account Manager.

http://my.bluehost.com.673271cc47c1a4e77f57e239ed4d28a7.foooperto.
client.coopertino-test.ru/domain/lxxvkmhmzo.htm

Thank you,
Bluehost
Toll Free: (888) 401-4688
Outside US: 1+(801) 756-9500


Note the .ru address in the phishing link, and the phishing URL suggests this attempt is geared at Mac users.

I don’t think I was personally targeted, I think this was probably sent out to every BlueHost domain contact email address the spammers could target.

I’m posting this as a warning to other BlueHost domain owners (and, in fact, anyone else that has a hosted domain): 1. Don’t click suspicious email links. 2. When in doubt, every email link is suspicious. Log into your domain hosting control panel directly like your normally would and contact your hosting company that way.

This was a clumsy attempt. Additional phising attacks are likely to be more sophisticated. Let the blogger beware…

Tags: , , ,

10 Responses to “Attempted BlueHost Phishing Attack”

  1. Thanks, mate! I got an identical e-mail this morning, and found your post when I Googled the customer service number in the e-mail. Clicking the link in the e-mail sends you to a Bluehost login screen. The URL for the login screen is http://my.bluehost.com.b5b8c484824d8a06f4f3d570bc420313.goolerm.client.coopertino-test.ru/domain/jdzyduigaz.htm, which looks legit if you stop reading at the random string of numbers and letters and don’t get as far as the actual domain name, coopertino-test.ru.

  2. Joshua says:

    than you. got the same email also. thinkpcparts.com

  3. maddie says:

    Thanks, got the same.

  4. isabel says:

    I got this today as well. I didn’t click on the link

  5. KL says:

    Thanks for posting this. Today I received one of these saying my Bluehost account was over it’s SQL database limit. I saw the “.ru” in the url and immediately had suspicions. Chatted with Bluehost Support and they asked me to send the header info and the text of the email to “tos@bluehost.com”.

  6. KL says:

    BTW – Love the blogroll. David Burge and NR rock.

  7. […] from Bluehost should be coming from. A Google search on that showed that this email was part of an ongoing phishing campaign against Bluehost customers. Later on in the email the URLs being linked to are intend to look like it is Bluehost by starting […]

  8. VC says:

    Got one today – November 2017

  9. AK says:

    got one today, dec 2017

  10. Dan says:

    Just got a slightly different one today. ip2location shows the below IP as Switzerland:

    Dear Customer MY CUSTOMER’S NAME. Confirm Your Identify.

    An unknown user was trying to login your JustHost account with an incorrect password on 30.03.2018 01:22 GMT, and with an unknown DNS IP Location: (Egypt) ip=195.15.9.64, as a result of that we partially blocked your JustHost accounts due to major security protocols.

    Kindly visit our Bluehost account reactivation Center. Use link below:
    http://my.bluehost.com.d7488039246a405baf6a7cbc3613a56f.bandfromthezoo.com/account/8305/confirm.html

    We are sincerely sorry for any inconvenience.
    Bluehost Customer Support.
    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    Copyright (c) 1999-2016 Bluehost.com, LLC. All rights reserved.

Leave a Reply