Cyber: Compromised Site Management Panels Are A Hot Item In Cybercrime...

Threat actors are openly advertising access to hacked websites as part of the underground economy. One of the most promising products is a compromised cPanel credential. They are sold in the thousands across fraudulent chat groups at commodity-level pricing and marketed as plug-and-play infrastructure for phishing and scam campaigns.

In new research, Flare security researchers analyzed activity across monitored fraudulent groups over a seven-day period, showing a structured ecosystem operating at scale.

We analyzed more than 200,000 posts referencing cPanel access, and we explained how cPanel has become a hot commodity, why it is desired by threat actors, and how it fits in the entire threat landscape.

cPanel is one of the most widely used Linux-based web hosting control panels in the world. It provides a structured management layer on top of standard system services. It acts as an orchestration and automation interface for managing hosting accounts, domains, mail services, databases, DNS zones, SSL certificates, and file systems.

According to Shodan, there are over 1.5 million internet-connected servers with cPanel software.

The heatmap below illustrates how cPanel is popular mainly in the U.S. (over 1 million results).

Imagine you own a website, either for personal use, running a small business, or one of many in your enterprise’s web-facing assets. Once a threat actor obtains the legitimate credentials to access the management layer, it enables a wide range of capabilities:

Deploying phishing kits as a subdomain under the legitimate domain name

Creating SMTP accounts under the domain to disseminate phishing or spam campaigns

Stealing and exfiltrating invaluable data (PII, secrets) from databases

Source: BleepingComputer