cPanel Phishing Campaign

Summary

cPanel and WebHost Manager (WHM) users discovered a phishing campaign claiming to be a security advisory from cPanel to notify them of critical vulnerabilities in their web hosting management panel. The phishing email appears to be authentic, contains the subject line "cPanel Urgent Update Request," and includes a link to update installations that, if clicked, will prompt the user to enter their cPanel credentials.  If entered, they will be sent to the threat actors. cPanel advised users that all legitimate communications originate from cpanel.net or a subdomain of cpanel.net.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to exercise caution with links, attachments, and spoofed domains received from unknown contacts; navigate directly to authentic vendor websites; keep applications up to date; and perform a complete audit of your website for suspicious files or code. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication. We advise users to review the NJCCIC product   Don’t Take the Bait! Phishing and Other Social Engineering Attacks and NJCCIC's Cybersecurity Best Practices webpage for more information on how to keep accounts and data safe. More information can be found in the cPanel post and Bleeping Computer article.