Sites Hosted by Hacking Victim Dreamhost Redirected To Scam Page

Type threatpost
Reporter Paul Roberts
Modified 2013-04-17T16:32:52


A report from Web security firm zScaler finds that Web pages hosted by the firm Dreamhost are being redirected to a scam Web site in Russia following a hack of the company’s servers last month.

In a blog post, zScaler Senior Security Researcher Julien Sobrier reports that his firm, which secures Web communications, has identified hundreds of Dreamhost sites that contain a page that redirects visitors to a Russia-based Web site offering a “get rich from home” scam, as well as placeholder .com domains that have been registered in the past month, but which lack content.

The company acknowledged that attackers compromised a database containing passwords to access FTP (File Transfer Protocol) servers associated with hosting accounts on January 21. That prompted the Brea, California company to force its customers to change passwords for file transform and shell accounts as a precaution.
Attackers that target Web hosting are a common occurrence. A successful hack can give cyber criminals access to hundreds or even thousands of Web sites at once, which can then be used to host malicious code or divert visitors to sites that launch Web-based drive by download attacks. Hosting firms like Automattic (which makes the WordPress content management platform) and GoDaddy have been linked to campaigns to install malicious programs, including the Phoenix Exploit kit.
While no malicious activity has been linked to any of the redirected Web sites yet, zScaler said the redirects to the work from home scam site are just the start of what will likely be “massive abuses on websites hosted by DreamHost.”

Read the rest of the zScaler blog post here.