Beware of fake domain name suspension email notices

0It has come to our attention that fake suspension email notices posing as ‘PDR’ are being sent to you and your customers as part of a phishing scam.

These emails are being sent to the registrant email address fetched via the WHOIS record associated with the Domain. Many Domain Registrars have been affected by this spear-phishing attack too.

We request you to kindly ignore these emails and do not download any files or take any actions based on instructions from such emails, as the attachments might contain malicious files.

Although the emails usually target domain owners who have domain names registered by Google Domains (source: BotCrawl), this scam is capable of targeting anyone.

The emails attempt to convince you to download password stealing malware files (source: Hoax-Slayer article), that can in turn open the door to other malware.

SAMPLE EMAIL :

===== Start of Fake message =====

In a message dated 10/26/2015 11:09:57 A.M. Pacific Daylight Time,
abuse-contact@publicdomainregistry.com writes:

Dear Sir/Madam,

The following domain names have been suspended for violation of the PDR Ltd. d/b/a
PublicDomainRegistry.com Abuse Policy:

Domain Name: DOMAIN.COM
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrant Name: Dale Hale

Multiple warnings were sent by PDR Ltd. d/b/a PublicDomainRegistry.com Spam and Abuse Department to
give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via
telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download (hXXp://lanacion.com.ec/abuse_report.php?DOMAIN.COM) a copy of complaints we
have received.

Please contact us by email at mailto:abuse-contact@publicdomainregistry.com for additional information
regarding this notification.

Sincerely,
PDR Ltd. d/b/a PublicDomainRegistry.com
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101

===== End of Fake message =====

 

cryptophp backdoor malware

CryptoPHP Malware

CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plugins to compromise web servers.

This turns out to be a global phenomenon, which was discovered by experts in the Netherlands through a compromised Joomla plugin on a customer’s site.The plugin had been downloaded from a legitimate-looking site that offers a list of free, compromised themes and plugins.

What is the CryptoPHP malware all about?

By downloading and installing pirated CMS themes and plugins on their own sites, users also install the CryptoPHP backdoor, which empowers attackers to exercise remote control over their sites.

The CryptoPHP malware can inject infected content into the compromised sites and even update itself.

However, the main purpose of the malware is to conduct blackhat SEO operations. Experts have detected links and text injected into the compromised pages with the sole purpose of tricking crawlers into giving the hacker sites backlink credit and a pagerank.

Experts have identified thousands of plugins that have been backdoored using CryptoPHP, including both WordPress and Joomla plugins and themes and Drupal themes.

The exact number of websites affected by CryptoPHP has not been determined yet. However, specialists have reasons to believe that they are at least a few thousand.

How are sites on our platform affected by CryptoPHP?

Unfortunately, a few CMS sites on our platform became the target of CryptoPHP hackers as well. Upon locating the attack, our admins made a thorough investigation of the affected sites and found out that they all contain files like social.png, social0.png, or social1.png, etc.  in their code, which are actually PHP scripts instead of PNG files.

They have managed to clean all infected sites of the malware. However, they cannot guarantee that CMS users will not be compromised again if downloading a pirated CMS theme or plugin from the web.

What should I do to make sure I am not affected by CryptoPHP?

If you have ever installed pirated or untrusted WordPress / Joomla / Drupal plugins / themes / templates, you are potentially susceptible to a CryptoPHP attack.

This is why, you need to take immediate measures and check your sites for files named ‘social.png’. If the file is a PHP script instead of a PNG file, you are probably backdoored.

The best way to protect yourself from the CryptoPHP malware is by making sure you download CMS themes / plugins from from trusted developers’ sites and popular marketplaces.

Here you can find the whole report by the Dutch company, which diagnosed and publicized the CryptoPHP malware:

https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf