cPanel's cPrapid.com website being used by scammers for phishing.

[MrMobodies]

I got a phising email in late January to a fake NHS portal requesting payment details for a vaccine.

I knew it was fake and had look around on separate broswer and profile to see what it was also about and I reported it as usual.

It redirected from an Indian medical college website that had been compromised to "https //195-201-99-52.cprapid.com/app/index.php":
https //www.jknursing.com/m/ (without the m)

Now I got a DPD one today from the same domain:



https:  52-237-172-196.cprapid.com/e677b160964b525bd7c28e1b2099578f879/login

and then I found this:

https://forums.cpanel.net/threads/cprapid-com-is-breaching-privacy.685437/

"The "cprapid" domain is something we've recently implemented to allow users to have secure access to WHM right from the initial installation of cPanel & WHM on the server, instead of having to click through the SSL security warnings due to a self-signed certifcate. You can find more details on this here:"

I didn't know at the time that the cprapid domain was owned by Cpanel.

The link on the DPD one only seems to work once until reloading whereas the NHS one was going for a couple of days or so.

It looks like the scammers have a found a way to exploit it for their phising campaigns.

See attached pictures:

[amyk]

It's no different to the free subdomains you get with hosting services... low effort but also low convincingness.

[MrMobodies]

There's a another scam on CpRapid going on at the moment.



I reported it some days ago but still there.

I'd recommend Use a test browser
https://www.21cssindia.com/th/

Legitimate website but adding /th/ and you get a different url on CpRapid for everytime it is accessed.

It looks like the scammers have free reign to do what they like.

The CpRapid URL's don't work after a certain amount of time and seems triggered from that Indian domain.

Also the fake receipt email also has what looks to me like Indian language so maybe it originated there.
Actually no it is Turkish according to Google language tools auto detect:

"2 öge için siparis ayrintilari, 22 Haziran 2021 Sali ("
Order details for 2 items, Tue 22 June 2021

[amyk]

Legitimate website but adding /th/ and you get a different url on CpRapid for everytime it is accessed.

That's because the only thing there is a script that redirects randomly to one of (currently) 7 destinations:

Code: [Select]

<SCRIPT LANGUAGE=JAVASCRIPT>
function randomlinks(){
    var myrandom=Math.round(Math.random()*7)
    var links=new Array()
    links[0]="https://139-59-177-41.cprapid.com/"
    links[1]="https://18-118-197-147.cprapid.com/"
    links[2]="https://18-118-106-84.cprapid.com/"
    links[3]="https://18-118-112-157.cprapid.com/"
    links[4]="https://165-232-154-182.cprapid.com/"
    links[5]="https://20-203-162-92.cprapid.com/"
    links[6]="https://3-127-149-97.cprapid.com/"
    links[7]="https://18-118-195-100.cprapid.com/"


 
    window.location=links[myrandom]
}


        window.open(randomlinks(),'_self');
 
</script>Everything about the above code suggests extreme amateurishness. They didn't even bother optimising or obfuscating, just copied http://www.javascriptkit.com/javatutors/random2.shtml with some changes.

I recommend telling the company their site has been hacked and used to redirect people to phishing sites.

[MrMobodies]

Good find with the 7 url destinations.

I did tell them some time ago with another scam and here is the reply from the last time:

Gillian Piggott (cPanel)

May 6, 2021, 13:12 CDT

Hello,

My name is Gillian and I am a member of the Senior cPanel Customer Service team.

This ticket came to my attention due to the recent feedback that was provided and I would like to take a moment to reach out to you to ensure that the issue you are reporting is resolved.

Firstly, thank you for taking the time to provide us with your feedback. cPanel management reviews all feedback that is submitted to ensure that that you are receiving the best possible support.

I am very sorry that you ran into the phishing issue.  Unfortunately, cPanel does not have any control over what cPanel is used for and sometimes cPanel servers are used for phishing purposes.  It is certainly something that is not set up by cPanel but we do try our best to report any phishing attempts to the hosting provider of the domain so that the sites can be taken down.

It is possible that the site you reported has now been taken down since were are not able to access this link:

https://52-237-172-196.cprapid.com/e677b160964b525bd7c28e1b2099578f879/login

If you have any further information you wish to provide to us please let me know and I will be glad to review it.
Kind regards,

Gillian Piggott
Customer Service Representative III
cPanel, LLC.
+1-713-529-0800
You can help us provide you with rapid and accurate support by sharing step-by-step instructions to replicate the issue

They have no control so yes the scammers can do what they like until the CpRapid URL is reported.

[NiHaoMike]

Time to flood those phishing websites with fake data so that they'll have a harder time using it?

[amyk]

No, cPanel is not the responsible one here, so that response was not surprising at all - I meant telling 21cssindia about it.

[MrMobodies]

I already tried that but the submit button don't seem to do anything.

Actually looking at it again I see an email address at the bottom the page.

contact@21cssindia.com
Obviously I didn't look well enough
Just reported it to them.