Cyber-criminals running phishing campaigns have added a new trick to their operations and are now using temporary URLs set up by Web hosting companies, which under normal circumstances should not exist more than a few days.
When a user buys a shared Web hosting package, some companies will set up the user’s account at the URL: http://hosting-company-server-name.com/~username.
As soon as the user adds a domain to his account, the main domain should supersede this URL, which should be deleted, at least in theory. According to security firm, some hosting providers don’t.
Attackers that manage to hack a client running on a shared Web hosting provider, and then escalate their access to the nearby clients or the hacked server itself, will have access to a large number of possible phishing URLs by default.
If the Web hosting provider doesn’t delete the aforementioned temporary URLs, this number doubles, giving them more time to host their phishing campaigns, which are known to be very effective in their first hours.
Users that host their websites on shared servers should check to see if their provider uses temporary URLs for their accounts and ask them to fix the issue.
Hosting companies should also use bare IP addresses instead of temporary URLs, a technique that reduces the possibility of phishers misusing hacked domains.