New HostGator Phishing Scam - DO NOT Fall For This!

22 replies
Warriors, I just got off the phone with HostGator support and I have confirmed that I have been the target of a new phishing scam.

I received a seemingly legitimate email from HostGator this morning, and here are the details:

FROM: donotreply@reply.hostgator.com

Email Body:

Dear Valued HostGator Customer YOUR NAME WILL BE HERE.

This notification is generated automatically as a service to you.

We have received a request that the name servers be changed for the following domain name(s):

"your domain name will be here"

If you are monitoring this name with Domain Backorders, the above change is also displayed in the Monitoring and Backordering section of your Account Manager.


Use the link below:

https://portal.hostgator.com/check.a...9801f6841861a2



Thank you,
HostGator.com Support

Toll-free: 1-866-96-GATOR
International: 001-713-574-5287

Now as you can see, this email looks real enough. Even the "from" address seems to be the real HG email address. The link they direct you to appears to be a real HG link to the customer portal. It's only like that on the surface though. The link that you see is not actually the real URL address.

If you click the link they give, it will take you a site that looks EXACTLY like the HG billing support/customer portal. I damn near logged in with my user name and password. What stopped me was when I looked at the URL.

The real HG billing portal URL is this:

https://portal.hostgator.com/login

The URL that I landed on looked to be set up on WordPress. The page was ALMOST identical, but when I looked closer I noticed that there were differences in text style and spacing, and the "View Our Support Articles" button at the top right of the page is much smaller on the phishing site.

I took screen shots so you can compare and this will help you to make sure you don't get phished. The main thing to look for, however, is the URL that is in your address bar. I am not going to give out the actual URL, just in case it was stolen or taken over from an innocent person (the URL has a full name in it).

Here is the REAL HG customer portal:




Here is the FAKE HG customer portal:




Look at the text on the fake site.You will notice it is much thinner and spaced much more closely than the text on the real site. The real difference is in the button to the top right of the page. On the fake site, it's much smaller.

PLEASE don't fall prey to this. If you were to click over to the fake site and log in, I'm pretty sure the scammers would now have access to all of the personal information that's in your customer portal. Worse, they could use that information and pretend to be you to gain access to your hosting account and wipe you out! You should have a backup, but that's not the point. It's a big pain in the butt!
#fall #hostgator #phishing #scam
  • Profile picture of the author agmccall
    Internet 101, do not click links in email to login to anything.

    al
    Signature
    The Flu? Not worthy of a mention here???
    {{ DiscussionBoard.errors[9888991].message }}
    • Profile picture of the author John Hocking
      I agree about not clicking on email link. Thanks for the heads up in the scam.
      {{ DiscussionBoard.errors[9889003].message }}
    • Profile picture of the author nicheblogger75
      Originally Posted by agmccall View Post

      Internet 101, do not click links in email to login to anything.

      al
      You are absolutely right. However, there are a couple of things in play here that led me to believe this email was perfectly safe and was indeed from HostGator.

      - The "from" address is legit.

      - The URL in the email appears to be a HostGator URL (I didn't notice it was not legit until I landed on the fake page).

      Basically, everything in this email appears to be from HostGator. Also, one thing scammers do is to send emails like this that make you think you have an immediate problem. You tend to panic a bit (at least I do), and you want to get to the bottom of the problem right away. This can cause people to sometimes act without thinking about it until it's too late. Thankfully, this was a phishing attempt and not a virus. Had it been a virus or malware I may have gotten myself into hot water. As we all know, even the best virus protection software sometimes doesn't catch everything.

      That's what happened to me.

      Your point is well taken, though, and it is a rule that should be followed always.
      {{ DiscussionBoard.errors[9889010].message }}
  • Profile picture of the author skypreet
    why is there no url in the Fake screenshot???

    I remember ,GoDaddy send remainder mail when we change the nameservers from the control panel. But I am just curious to know the phishing url and the email address from which you received the email.
    {{ DiscussionBoard.errors[9889024].message }}
    • Profile picture of the author nicheblogger75
      Originally Posted by skypreet View Post

      why is there no url in the Fake screenshot???

      I remember ,GoDaddy send remainder mail when we change the nameservers from the control panel. But I am just curious to know the phishing url and the email address from which you received the email.
      I removed the URL from the screen shot in case the domain being used by the scammers was stolen from an innocent party. It contains someone's full name, and I don't think it's right to associate that name with a scam if that person may also be a victim.

      The "from" address seems to be an actual HostGator email address. However, I think it's easy enough to fake that. This is the "from" email address:

      donotreply@reply.hostgator.com

      Here is the subject line of the email:

      Account Notice : Error № 7620


      The fact that I did not receive anything from GoDaddy and the fact that all of my websites were still up and running was also a big tip off that the email was fake. I should have asked the HG customer service rep whether or not they actually send out emails like this, but I overlooked it.
      {{ DiscussionBoard.errors[9889038].message }}
    • Profile picture of the author eightofdiamonds
      Thanks for the heads up. I've used HostGator for years. I'm pretty cautious about what I click on in emails but from what you've posted it looks like the scam is well designed.
      Signature
      {{ DiscussionBoard.errors[9889043].message }}
      • Profile picture of the author nicheblogger75
        Originally Posted by eightofdiamonds View Post

        Thanks for the heads up. I've used HostGator for years. I'm pretty cautious about what I click on in emails but from what you've posted it looks like the scam is well designed.
        You're quite welcome.

        I'm no newbie and the email looked so authentic that I nearly fell for it. Had I not checked out the URL and noticed that it was not the HG customer portal URL I would have gone through with logging in. I don't think it would be long after that before I found my entire hosting account wiped out. Then I would have had to upload my backup, which would have taken several hours, and in that time I probably would have missed out on a bunch of new subscribers.
        {{ DiscussionBoard.errors[9889069].message }}
  • Profile picture of the author gvidass
    Thanks! But honestly they did good job on making it, because I would believe that it's real site...
    {{ DiscussionBoard.errors[9889077].message }}
  • Profile picture of the author wyatt2011
    I don't know, I think I got this! They said they got a notice to change my name servers. I didn't request anything.
    I hadn't had time to act on it thankfully. I wouldn't have anyway without calling Hostgator, which I will do this evening.

    Dear Valued HostGator Customer ONEANDONE PRIVATE REGISTRATION.

    This notification is generated automatically as a service to you.

    We have received a request that the name servers be changed for the following domain name(s):

    (website name which I deleted here)

    If you are monitoring this name with Domain Backorders, the above change is also displayed in the Monitoring and Backordering section of your Account Manager.

    Use the link below:
    https://portal.hostgator.com/check.aspx?nw=f1920129f9c75b3d604ea4874e120736

    Thank you,
    HostGator.com Support

    Toll-free: 1-866-96-GATOR
    International: 001-713-574-5287



    Thanks Angela
    {{ DiscussionBoard.errors[9889099].message }}
    • Profile picture of the author nicheblogger75
      Originally Posted by wyatt2011 View Post

      I don't know, I think I got this! They said they got a notice to change my name servers. I didn't request anything.
      I hadn't had time to act on it thankfully. I wouldn't have anyway without calling Hostgator, which I will do this evening.

      Dear Valued HostGator Customer ONEANDONE PRIVATE REGISTRATION.

      This notification is generated automatically as a service to you.

      We have received a request that the name servers be changed for the following domain name(s):

      (website name which I deleted here)

      If you are monitoring this name with Domain Backorders, the above change is also displayed in the Monitoring and Backordering section of your Account Manager.

      Use the link below:
      https://portal.hostgator.com/check.aspx?nw=f1920129f9c75b3d604ea4874e120736

      Thank you,
      HostGator.com Support

      Toll-free: 1-866-96-GATOR
      International: 001-713-574-5287



      Thanks Angela
      Yup, you sure did. That's it alright. And as you can see the domain name looks like it belongs to an individual person. It's definitely not a HostGator domain.

      I would definitely call them and report this. The customer service rep said they are going to investigate it and I'm guessing they will be sending out a warning email to all of their customers about this soon.
      {{ DiscussionBoard.errors[9889128].message }}
  • Profile picture of the author AaronBurton
    uh oh, thats not good.
    {{ DiscussionBoard.errors[9889135].message }}
    • Profile picture of the author nicheblogger75
      Originally Posted by AaronBurton View Post

      uh oh, thats not good.
      As long as you DO NOT log into the fake site you should not have to worry. It's when you log in that they've now got your user name and password and can access all of your personal info.

      I'm pretty sure most people know better than to click on links in a suspicious email, but this scam is VERY well designed and I'm thinking quite a few people have already fallen for this.
      {{ DiscussionBoard.errors[9889146].message }}
    • Profile picture of the author webmaster2015
      Any notification I get from my bank or facebook to my email, I just go to my bookmarked link and sign in to read the notification, if it's not there then I know the email was fake. The only thing I will click on in my email is Hostgater renewal notices because they automatically sign you in and already have your previously chosen payment method ready and if a phisher already had that info there would be no reason to phish you for it. Basically if you click on any link in your email and it takes you to a sign in page, you are better off just going to your bookmarked link or google for the real site and sign in that way.
      Signature
      If you do classified advertising
      You need a Delayed Autoreply Service
      {{ DiscussionBoard.errors[9889237].message }}
      • Profile picture of the author nicheblogger75
        Originally Posted by webmaster2015 View Post

        The only thing I will click on in my email is Hostgater renewal notices because they automatically sign you in and already have your previously chosen payment method ready and if a phisher already had that info there would be no reason to phish you for it.
        That's why this scam is so dangerous. Most people trust an email from HostGator and will click on the link without thinking twice. Especially since these emails really do look like they came from HostGator. I'm guessing whoever it was that masterminded this scam knows that. I'm always VERY careful about clicking links in emails, but this one had me fooled all day.
        {{ DiscussionBoard.errors[9889706].message }}
  • Thanks for the heads up. I think I heard about something related to this before, but I'm glad I saw this here again as a reminder.

    And I agree. Clicking on any link from an unknown or mysterious email address and then signing in to their form is hazardous, so watch out everyone. This company, whoever they are, isn't the only one doing this.
    {{ DiscussionBoard.errors[9889214].message }}
  • Profile picture of the author larrygo
    Thanks for the info, my son just got one today that looked very good for another website
    {{ DiscussionBoard.errors[9889780].message }}
  • Profile picture of the author David Keith
    A huge tip off for me is when my lastpass account doesn't fill in my info or auto login for me.

    That tells lastpass doesn't have my login info save for that site so I am probably not where I think I am...ie a phishing scam.

    Robofor, does the same thing.
    {{ DiscussionBoard.errors[9889858].message }}
    • Profile picture of the author art72
      Originally Posted by David Keith View Post

      A huge tip off for me is when my lastpass account doesn't fill in my info or auto login for me.

      That tells lastpass doesn't have my login info save for that site so I am probably not where I think I am...ie a phishing scam.

      Robofor, does the same thing.
      I think it's time I get lastpass, never realized the benefits until you mentioned it recognizes the url and login before hand.

      Also, kinda strange being I just 'renewed my HG hosting not even 2 hours ago, and would have likely never noticed the differences in those 2 pages!

      Reminds me off a phone app ad for my local internet provider, you login to your account using the secure app, and the ad states; "you have been logged out of your (companies name and same text) account due to inactivity! - Log back in here.

      I never clicked the ad because the red ball with the "X" in it clearly denotes its an advertisement, but I'll bet tons of people fall for for it.

      Thanks for the heads up, being I did just renew my HG hosting, I'll be sure to NOT to fall for that one!

      Thanks - good share!
      Signature
      Coming Soon... *Laser Targeted Lead Generation Services
      {{ DiscussionBoard.errors[9889869].message }}
  • Profile picture of the author ChrisBa
    They did a really good job at copying the hostgator site and the email as well (not that I want to give credit to people who phish or scam)

    Glad you caught this before it was too late.
    Another great example to be careful with links in emails
    {{ DiscussionBoard.errors[9889884].message }}
    • Profile picture of the author nicheblogger75
      Originally Posted by ChrisBa View Post

      They did a really good job at copying the hostgator site and the email as well (not that I want to give credit to people who phish or scam)

      Glad you caught this before it was too late.
      Another great example to be careful with links in emails
      I've been thinking about this and the more I think about it the more it seems to me that it could be an Internet Marketer behind this.

      It makes perfect sense that an Internet Marketer would do something like this in order to maybe eliminate competition in their niche. They get a hold of a competitor's hosting account and wipe them right out. If they can wipe out enough of their competition they can practically own a profitable niche. Also, it looks like they need a certain number of different domains to make this work.

      I noticed a link someone posted earlier to a phishing site and it was a different domain than the one I came across. That means they may have already taken over quite a few hosting accounts/domains just to make the scam work.

      So, what do you all think? Is an Internet Marketer behind this? Or is that too "conspiracy theory?"
      {{ DiscussionBoard.errors[9890263].message }}
  • Profile picture of the author enterprisemind
    Thanks for sharing this. I'm a Hostgator customer also.
    {{ DiscussionBoard.errors[9889887].message }}
  • Profile picture of the author nizamkhan
    Damn, they made things look so real. Please, DO NOT login/signin by clicking on the links in the emails, instead type the url directly in the browser address bar to login to your customer/banking/payment portals. Thanks for this phishing scam alert.

    - Nizam
    {{ DiscussionBoard.errors[9890535].message }}

Trending Topics