Beware of BlueHost Phishing Emails!

Look out for these in your inbox!

This week, a few of our clients have received emails from BlueHost – or so it would seem. Each of the emails states:

“Your account contains more than [some number] directories and may pose a potential performance risk to the server. Please reduce the number of directories for your account to prevent possible account deactivation.”

The BlueHost phishing email goes on to suggest that this problem can be solved by creating a special “tmp directory” and includes what appears to be a log in link.  I received one of these emails as my domains are all registered through BlueHost (though I now host all my sites at WPEngine).  

Here is what it looked like:

BlueHost Phishing Email Scam

Beware! This email is not from BlueHost!

This email is a “phishing” email and if you receive it, you should delete it immediately. Do not click the link.

Not sure what phishing is?  Wikipedia provides this easily understood definition:  “[p]hishing is the illegal attempt to acquire sensitive information such as usernames, passwords, and credit card details […], often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.”  You can read more about phishing here.

How do we know this email is fake?

Our first tip that the email is not real comes from looking at the send from email address.

BlueHost-Phishing-Scam-Email2-1024x89

Notice it says "alerts056@bluehost.com via hovhaness.dreamhost.com." In Gmail, the via indicates that the sender sent the email from a server other than the one listed in the email address. Gmail displays this information because many of the services that send emails on behalf of others don’t verify that the name that the sender gives matches that email address.  In this case, someone who is pretending to be BlueHost has sent the email from DreamHost's server. The fact that the email did not come from BlueHost's servers is your first tip that something is amiss.

The second flag would come if you were to click the link.

BlueHost Phishing Website

You can see what appears to look like BlueHost's website.  This one is actually a near-exact replica, except for one thing - the address bar does not say bluehost.com.  Thus you can see that the link in this email took you to a website that is a duplication of BlueHost's website, in an attempt to get you to enter your username and password, which would then be recorded and provided to the person who maliciously sent the email.

What if you already clicked the link and "logged in"?

If you already clicked the link and tried to log into your BlueHost account, thereby giving your domain or username and passwords to the phisher, you should:

  1. IMMEDIATELY go to https://my.bluehost.com/hosting/cpanel, log into your account and change your password.  Make sure it is a strong password with random letters, numbers, and symbols.  Don't use things like the city where you live or any other recognizable words.
  2. Next, you should call customer support at BlueHost and inform them of the situation to see if they have any other suggestions.
  3. Then take a deep breath and chalk it up to lessons learned.  Next time you'll know what to look for if you get another suspicious email.

And Remember...

It is not good practice to click these links, because sometimes merely visiting a URL can install keylogging software or other malware/viruses on your computer. We only did this on a junk computer for the proposes of education, then wiped it afterward. In the future, try your best to identify these emails without clicking any suspicious links. If you're unsure whether an email is spam or a phishing attempt, get in touch with us - we'd be happy to help you get to the bottom of it.

Thoughts or Questions?

Our blog does not accept comments, but we want to know what you think!  Tag us on Twitter to get the conversation started or contact us.