15 Oct SiteGround Phishing Attack
We utilize SiteGround to host a number of our blogs and websites. So, we’re on the lookout for any notifications that come from them, especially anything that has to do with billing. The last thing that we want is a potential service interruption. That would take all of our websites offline, including this one!
Today, I received an email that appeared to come from SiteGround, but after a few seconds of inspection, I quickly realized that it was a phishing attempt. The timing of this couldn’t really be any more perfect because I posted an article yesterday on 17 Social Engineering Red Flags to Watch Out For.
This particular attempt wasn’t all that sophisticated, but I thought it was worth using to further highlight things to look for.
Example of a Phishing Attempt Trying to Scam SiteGround Customers
Here’s a quick video that points out the things I noticed right away:
As you’ll see in the video there were a few things that were dead giveaways:
Sender domain
The sender domain was not siteground.com.
In fact, it wasn’t even close. Again, this wasn’t a super hard to spot phishing attack. With that being said, this is a good teaching point to always verify the sender domain.
More sophisticated attempts might utilize domains that are closer to the actual business name. This is something that we all need to be aware of and prepared for. It’s not hard for attackers to register a better disguised domain. The attacker behind the email I received today were just lazy. For example, in less than 15 seconds I went to GoDaddy and looked up the domain sitegroundbilling.com, which is currently available for less than $1.
Had the attacker utilized something like this, I may have not spotted the attempt right away.
I would expect more attempts to continue, so be on alert for domains that you don’t recognize. And even if they seem like they might be legit, make sure you validate it with a direct representative at the company first.
Weird links
When I hovered over the link to “Update Billing”, I could clearly see that this would not take me to the SiteGround website.
Formatting and grammar issues
In my review, I noticed that none of the social media icons were linked. Any real email that comes from SiteGround support would provide the correct links to alternate support channels.
Additionally, the wording in the email is a hot mess. It’s obviously not proofread and comes from a non-English speaker. “Our billing system has detected that this service will be expired in two days.”
This should have read: “Our billing system has detected that your service will expire in two days.”
A more sophisticated system would at the very least use Grammarly, which is why it’s important to look out for other signals.
Generic greeting
One last thing I forgot to mention in my video review was that the email greeting used “Dear Client”.
Almost any automated billing email that comes from a credible company will address the point of contact on file. Because the attacker doesn’t have this information, they used a more generic title.
Not addressing you by your name should immediately raise an eyebrow. But don’t let use of your name be the only thing that confirms legitimacy. Personal information can often be pulled from other sources and used to build trust.
Are Website Owners Under Attack?
Although this phishing attempt was easy to spot, it makes me think about phishing attacks on a larger scale.
In terms of potential targets, website owners are easy prey. Unless you register your domain privately, it’s not hard to use a tool like who.is to lookup information on it.
And even when domains are registered privately, most websites have some type of email address or contact information on the website that can be scraped. On top of that, it wouldn’t be difficult for attackers to write a script that attempts to send the phishing email to commonly used addresses like info, support, contact, admin, etc. These addresses are often those utilized during account setup as well.
Beyond being publicly accessible, website owners have access to sensitive information. Now in this particular attempt, the attacker’s goal was to collect credit card information, likely with the intent to commit fraud. But what type of impact would there be if I had provided the malicious entity access to our web hosting account itself? This would grant the attacker access to the web server, and depending on the websites hosted on that account, this could impact hundreds (if not thousands of other people).
Per my research, there are over 2 million websites hosted on SiteGround. And they only make up around 2% of the shared hosting market. I imagine that if phishing attacks have started to try and leverage their brand to dupe site owners, then it’s likely other hosting companies are being utilized as well. Think GoDaddy, BlueHost, HostGator, and many other well-known companies.
It’s only a matter of time before these attempts get less sloppy. As site owners, we’ll need to stay vigilant and be sure to communicate directly with hosting providers.
I’m interested in learning more about the future of phishing attempts against website owners. I’ll continue to update this post over time with additional findings. If you happen to have experience any other phishing attempts utilizing SiteGround’s name, or another web hosting company, please feel free to reach out to info@gogetsecure.com. I’d like to further document these attempts to help keep us all better informed and safe.