One of the latest email scams to come our way is quite convincing and aimed squarely at website owners and managers.  This particular email landed in my inbox earlier this week and is worded in such a way that it could be a legitimate correspondence.

The email in question warns that outbound email services have been disabled from the host account because of forum email spam.  Now in the case of the targeted account, this immediately sets off some red flags as the client’s website does not host a forum.  Still, many hosting environments offer automated forum software and it’s possible that it had been turned on at some point and simply never integrated into the website.  The real red flag shows itself further into the email with the reset link.  The first part of link checks out, as does the end, however, if you look into the center of the URL you will notice something that shouldn’t be there.  Missing this would be easy as the address is hidden between an otherwise legitimate URL string.

We are contacting you today because we have disabled your outbound email services temporarily.

If the URL is followed (which we wouldn’t recommend) it leads to a very convincing looking Bluehost sign in page.  One obvious give away, however, is the fact that the page is not secure.  The real Bluehost log in page features a green SSL secure icon to the left of the URL bar.  On the hoax site this element is missing.  In general this is one of the best tells when determining if a website is a hoax as any website with a login screen should use an SSL certificate.

Note the green “Secure” icon on the top (REAL) versus the bottom (Hoax).

If a user is unfortunate enough to try to login hoax website, their username and password will be recorded and then they will be redirected to the real version of the hosting website.  After the first failed login attempt a user will gain access to their account normally and be unable to find the source of the original warning and most likely choose not to look into the matter further.  The problem is that the scammers now have access to the account and can either try to extort the owner for money directly or mine the account for valuable information.

If you happen to encounter this scam or for a similar hoax you have a short window of time to try and protect your account.  Immediately go to the legitimate log in screen for your website hosting account.  Log in and change all of your passwords.  Make sure you check to see if the account recovery email address has been changed as well since this could allow the scammers to undue your password reset.  Also, make sure none of your other account information has been altered.  If your passwords have been altered before you are able to reset them, you must immediately call your website hosting provider and they will need to confirm your identity.  In either case, you should contact your host provider and inform them of the email so that they can crack down on the scam.