Zscaler researchers identified a number of sites hosted by DreamHost that contained a PHP file designed to redirect users to a scam page.
The scam site, otvetvam.com, advertises a “make money from home” scam by displaying several fake testimonials allegedly written by people who already made a lot of money.
The site is so cleverly designed that even the Google ads lead to a YouTube-style site that promotes other schemes, more precisely an online gambling site.
Otvetvam.com replicates a popular Russian site, mail.ru, to make everything more legitimate looking. Furthermore, other malicious domains were recently set up to serve the same purpose, the cybercriminals probably planning ahead for when security solutions providers will start blocking their domains.
At the time when the breach was discovered, DreamHost advised users to make sure they change their passwords, but it turns out that not everyone followed their advice and crooks already made good use of the leaked information.
DreamHost customers are advised to follow the steps recommended by the company to make sure their assets are secured. Passwords must be reset immediately to prevent any unfortunate incidents.
The possibility that hackers already changed some of the passwords exists, case in which users should contact DreamHost to block others from accessing the accounts.
Another possibility is that the cyber masterminds altered the websites before the passwords were reset, which means that website administrators should check their webpages to see if the malicious PHP file exists.
Unfortunately, the PHP file doesn’t have a clearly defined name, but it looks something similar to tyiueg.php, polzin.php, gyrewnv.php, or fgjke.php.