0

Today I received a cpanel phishing link and I clicked on it. It redirected to another cpanel. I decide to look at the url, and here it is

redirect url
https://example.net/esg9/cpanel.php?token=foofoofoofoofoofoo

After I click, it'll redirect again

https://example.example.at:2083/cpsess1234567890/?token=foofoofoofoofoofoo

I have 5 questions:

  1. Is that token mine or from the sender?
  2. Can we produce dynamic email based on receiver? For example, the token might be generated from the header of my email (I don't know why I have theories like this)
  3. I clicked on the link but didn't enter my credential in that fake cpanel login. Am I safe?
  4. What should I do now? And what information should I seek?
  5. Are we doomed at the moment we click the link? (we might not enter credential, nor download any file, but our sessionid, token, etc, can the hacker get it through POST method?)

Also I informed my hosting provider about this case.

nobody
  • 11,251
  • 1
  • 41
  • 60
Jeremy Kenn
  • 3
  • 2
  • Some question coaching: It looks like you’re still jolted by the event - maybe take a lap around a building. There’s a lot of superfluous info here - it doesn’t matter if it’s Cpanel, your question is more general. Boil down to one or two closely related questions. 1-2 in your question are not actually very helpful to you, they are FYI. 3-5 boil down to: how do I know if I’ve been a drive-by hacking victim, and what can I do about it? – sadtank Nov 20 '21 at 09:12

1 Answers1

0

That token is likely just a way to identify a click through. Sometimes it’s an encoding of your email address or a random string used by attackers to keep track of their targets, much like how marketers keep track of engagement.

I’d plug this url into virustotal.com to see what the scan pulls back. If the site itself is nefarious, VirusTotal is pretty good at showing that. If 1-3 scanners there say it’s a bad site it’s probably fine. If more than that light up then figure out what they alert on and if you could be compromised in some way by simply loading the page (unlikely).

If you didn’t download anything and didn’t enter any info you’re probably ok. Most likely you are over thinking it.

There is value for spammers to know which valid emails actually have eyeballs behind them. It’s likely you just made the “send this email lots of stuff” list that gets bought and sold in the spammer world. Expect more phishing emails like this as well.

Get a password manager that stores login URLs for you. Use that password manager and only that password manager to navigate to and authenticate to sites. Don’t click links in emails then login, use the manager.

I recommend KeePass since it’s free, but it requires some technical understanding. There’s a bunch of others out there as well in the paid space.

sadtank
  • 259
  • 1
  • 8