Starting July 4, I have received 78 emails which are a phishing attempt. All emails originate from Chinese ip addresses. The recipient is always info@domain.tld
They are always related to cpanel. I don't use cpanel for anything, and don't have it installed anywhere. Sometimes the emails are about upgrading php to 7.1 but still about 'cpanel'.
There are three identical links in the email, one on the cpanel logo at the top and another at the cpanel 'screenshot' image toward the bottom, the other is the logo at the bottom.. These go to mg.mail.yahoo.com/neo/launch?.rand=SOMEHASH where SOMEHASH is always the same. Not sure if this critical, can they actually be using yahoo email to leverage a phishing strategy?
Up until saturday, The "other" links in the email went to reccsar.com domain, to a single url (php script), Saturday the links were changed to theexchequer.ie domain
The logo at the bottom is a remote image on aspirationhosting.com, named cpanel logo. I presume it is a cpanel logo.
Normally I do not bother worry over spam/phishing emails. However this case is odd, because somehow they are picking up every domain that I get a signed SSL certificate. For example, this site zap.dog domain. I noticed it is related to SSL certificates because I also got an email for a domain registered by someone else, but I created the signed cert. Then I got the phishing email for that domain.. not receiving emails where I registered a domain but did not get SSL.
After the domain is set up on httpd server and working, chinese ip shows up in web logs using mozilla headless (according to UA) so it's taking a 'snapshot' of the site, probably. After what appears to be an actual person from chinese IP address visits the site (to verify?)
Scenarios I'm thinking -> they are buying or stealing this data from 3rd party that is selling SSL, or they are getting the data from CA.
If they are into me and able to "watch" what I'm doing, why limit to SSL certs, and why bother with phishing.
Anybody else getting these emails?
