August 2, 2017

Doctor Web specialists note that it is becoming increasingly commonplace for phishing emails to be distributed on the Internet. Cybercriminals send these email messages on behalf of the Russian domain name registrar “RU-CENTER”. For the past two weeks, such mailings have been registered twice. In these emails, cybercriminals suggest that website administrators post on a server a special PHP file. This action will lead to a compromise of an Internet source.

Apparently, to distribute scam mailings, cybercriminals use contact database of domain administrators registered in RU-CENTER. Cybercriminals refer to some changes in the ICANN rules and offer the domain administrator to create the PHP file with certain contents in the root directory. The creation of this file is supposed to confirm the right for the domain use by the email recipient. The email itself contains the logo of RU-CENTER and is sent supposedly on its behalf.

The file suggested for saving in the root directory contains a command that executes an arbitrary code specified in a variable. Cybercriminals can send this code to the script posted on the server as a GET or POST request. Doctor Web specialists warn that fulfillment of the demands of cybercriminals will lead to a compromise of the website. If you receive such email, ignore it. If you suppose that the email’s sender is actually the domain name registrar, check this information with the technical support service of the registrar company.