cPanel Webmail Scam – How to Recover

Last updated: September 21 2022

If you recently got an email notification asking you to verify, confirm or update your email account, think twice before clicking on any link.
Most likely it’s a scam designed to expose your email password.

Try our free check option.

The malicious email contains one or more links to a phishing site, which replicates the cPanel Webmail login page.
If you filled out the form already, and your password is compromised follow these steps:

  • Reach your hosting provider, and ask for a password reset and further instructions.
    If you don’t remember it, contact the last web developer you worked with and ask for cPanel credentials. Otherwise, if you have no other options, contact us for support.
  • If your email is not managed by your web hosting provider, find out your email provider.
    Find your MX records: https://mxtoolbox.com/MXLookup.aspx
  • Lastly, if the same password is used for PayPal, Twitter, Facebook, IG or LinkedIn, make sure every account is secured.

Malicious URLs:
http://alblsv.opalional.com/#b25saW5lQG1hdGhpbGRlLnJv
https://tentsjest.store/f6uKR5p5kprincc4bBtb3rU/redirect/cpanel.webmail.api.authenticate.login
https://tentsjest.store/f6uKR5p5kprincc4bBtb3rU/redirect/cpanel.webmail.api.authenticate.login/qjUfp7l2ZFr68IUmzR9p.php

Other URLS:
https://utrhiyixro.web.app/?WfLm36WwWNR=b25saW5lQG1hdGhpbGRlLnJv
https://utrhiyixro.web.app/__/firebase/init.js
https://utrhiyixro-default-rtdb.firebaseio.com
https://utrhiyixro.firebaseapp.com

Malicious domains: zenmillennial.shop, wheytonocta.store, alblsv.opalional.com, tentsjest.store, siliconbop.store, technogarage.store, accordgenesisi.monster. All domains are registered via Namecheap.
Malicious networks: 198.54.116.149 ( server208-5.web-hosting.com ), 188.114.97.2 ( Cloudflare, Inc. ), 99.83.154.118, 162.255.119.8.

Cloudflare nameservers used for the malicious attack:

  • byron.ns.cloudflare.com, meiling.ns.cloudflare.com
  • coby.ns.cloudflare.com, tina.ns.cloudflare.com
  • kanye.ns.cloudflare.com, meera.ns.cloudflare.com

Malicious email subject
“Este necesara validarea parolei pentru”
Message:
“Centru de parole de e-mail
Solicitarea dvs. de resetare a parolei prin e-mail este primită, parola dvs. actuală a expirat și trebuie validată de la adresa linkului de mai jos înainte de a vă putea accesa din nou contul.
Tichet: detalii de securitate a contului”

How to report cPanel Webmail Phishing? Copy the link inside the phishing email, and report it here: