Back to Fred Mac Donald's Blog
Phishing Email – WARNING The domain 'mydomain.com' has reached their disk quota
We noticed, and clients reported, a huge increase in a cPanel phishing email we personally have not seen in the field before.
The email…
Subject Heading: [mydomain.com] WARNING The domain "mydomain.com" has reached their disk quota.
Email Body.
Disk quota notification for "mydomain.com".
The domain "mydomain.com" has reached their disk quota.
The account currently uses 97.27% of its disk capacity.
You should follow the link bellow to auto extend your disk capacity for free as soon as possible in order to prevent the loss of any files and future emails. Use the Disk Capacity tool at https://mydomain.com:2083/?goto_app=DiskCapacity.
The system generated this notice on 2021/3/23 17:44:57.
You can disable the "User Disk Usage Warning" type of notification through the cPanel interface: https://mydomain.com:2083/?goto_app=ContactInfo_Change
Do not reply to this automated message.
A couple of pointers you can look out for.
- Typically the sender email address takes the following format: cPanelonmydomain.com@landing.globaltelecomm.com.mx
- The links to take action point to something like: https://SomeHackedDomain.com/wp-content/_cpanel.php?token=aHR0cHM6Ly9kcml2aW5nc2Nob29scG9ydGFkb3duLmNvLnVrOjIwODMv
- General spelling and grammatical errors
- I am terribly sorry, but ExelWebs will not give you any free disk space if you mismanage your hosting account.
What will happen if you click the link?
You will be taken to a page on a hacked website that looks pretty convincingly like what you would expect to see when you log into your cPanel. The most obvious indicator is the URL of the page.
What will happen if I entered my details?
The sole purpose of the phishing scam is to gain access to your cPanel and hosting account. The scammer will then access the account, upload a file or two and most probably use your website in the link in the email sent out to the next unsuspecting person or to phish for banking details or even sell viagra…
What if I already entered my details?
If you entered your lodging details into the form, change your lodging details immediately. Also, let us know as soon as possible so we can run additional scans to ensure there are no files uploaded tr existing files are not changed to hide their virus.