Please be advised that on October 8, 2010 at 5:30 pm CST, we received a Security Alert email from Media Temple.
Malicious hackers are posing as Media Temple and sending out emails to their customers requesting their hosting username and password.
Hackers are trying to trick their customers into “thinking” there's a dangerous phishing page on their sites and they “need” to fix it for them.
Media Temple's Security Alert email reads as follows:
It has been brought to our attention that a small percentage of our customers have received emails requesting login information from a source claiming to be Media Temple. This is part of a larger attack affecting several large webhosting providers at this time. This is clearly an attempt to retrieve passwords, which we would never solicit via email.
Many of you might ask “How did they get my email address?”. These email contacts are most likely being pulled from WHOIS data — public information containing details of a domain registration. From this data, the attacker can easily determine the hosting provider. They then simply insert these details into an email “template” before sending them.
If you have responded to an email of this nature, from any company, immediately change your AccountCenter password to protect yourself. If this same password is shared with other accounts please take the appropriate steps to change those as well.
If you are unsure whether you have received such an email please see an example on our weblog at:
http://weblog.mediatemple.net/2010/10/08/important-security-alert/
We would like to reiterate that (mt) Media Temple follows the standard practice of NEVER requesting login information via email. Thank you for your cooperation and please contact us if you have any questions.
Best Regards,
(mt) Media Temple
Here's an example of one of the hacker's emails look like…
Hello,
We receive a complaint about phishing page in your web hosting account. The complaint came from Verisign inc. There is a page in your hosting account that collects personal account details and disguise as legitimate Lloyds TSB Bank PLC. That webpages have been broadly distributed to individuals by a person or entity pretending to be Lloyds TSB Bank PLC.
Please provide me with your hosting username and password so we can delete that phishing page from our server. Just reply this email with the information we needed so we can fix it immediately.
Thank you
(mt) Media Temple, Inc.
Patrick Rigney
Technical Support Manager
8520 National Blvd. Building A
Culver City, CA 90232
we appreciate your rapid response
As MediaTemple has said, if you receive an email that requests your login information, do not respond.
As a security precaution, you should never give your login details to anyone via email.
We have not had time to do any forensics on this issue, but wanted to give you a quick heads up.
After reading Media Temple's statement above, I personally find it really odd that hackers would spend their time searching the WHOIS database looking for websites hosted at Media Temple and that have their email addresses displayed publicly so they could send out these emails.
We need your help…
We are trying to determine how widespread this is and which hosting companies and types of hosting have been affected.
If you've received one of these suspicious emails let us know and if it's different then the sample above. Also tell us who you host with and if you're on shared or dedicated hosting. Leave a comment below.
Securely yours,
Regina Smola
WordPress Security Specialist
Follow on Twitter @WPSecurityLock
Become a Facebook Fan
Leave a Reply