Question Consistent Phishing attacks from plesk.page

[Nighthawk]

Hi,

I am a cybersecurity engineer in the area of phishing. I see hundreds of phishing domains every month from the plesk.page domain and have a few questions.

Some of the attacks are from domains with the standard "adjective-scientist.xxx.xxx.xxx.xxx.plesk.page" format and host a multitude of phishing sites. If a site has malicious content regarding a brand a takedown can be initiated, it often consists of contacting the hosting provider, domain owner, perhaps registrar etc.

Plesk does not respond to takedown requests on the [email protected] contact email, I am not sure if you see these requests then act on them and don't respond but not acknowledging the emails even via an automated manner makes it difficult to determine if Plesk is in fact performing any takedown or is taking action.

What is Plesks policy on this issue ? although you are not the hosting provider you are still providing a free hostname service that is being abused and well known by cybercriminals. Does Plesk take measures to avoid malicious content on dev pages ?

There is also domains with custom subdomains such as "custom.custom.custom.xxx-xxx-xxx-xx.plesk.page/..." This allows attackers to make even more plausible attacks using plausible subdomains to make their attack look more legitimate. Could you explain how users can add subdomains in the panel I have not been able to do it myself ?

I am aware this is the community forum but I thought discussing this in the open with staff is preferred.

Thanks,

 

[Bitpalast]

Not staff, but the plesk.page domain must point to an IP address just as all other domains do it. There is no difference between the plesk.page domain or a real domain other than the plesk.page domain is free for use so that hackers don't need to buy a domain name for their attacks. However, they still need to have the server base for it. Normally, you'd address the server operator to fix phishing attempts that are coming from a server, not a domain name provider. If it wasn't the "plesk.page" domain, but another domain name, you'd not consider to contact the registry for that domain name to take down a site, but the data center of the server where the domain is operated. I think it would be best to do the same in this case.

 

[Nighthawk]

Not staff, but the plesk.page domain must point to an IP address just as all other domains do it. There is no difference between the plesk.page domain or a real domain other than the plesk.page domain is free for use so that hackers don't need to buy a domain name for their attacks. However, they still need to have the server base for it. Normally, you'd address the server operator to fix phishing attempts that are coming from a server, not a domain name provider. If it wasn't the "plesk.page" domain, but another domain name, you'd not consider to contact the registry for that domain name to take down a site, but the data center of the server where the domain is operated. I think it would be best to do the same in this case.

Thanks for your response.

I understand that Plesk is not the hosting provider and you are correct going to the registrar is towards the end of a playbook, but it is a vital step and is followed by legal requests for suspension of the domain at the registrar. This is because of hosting providers that are or almost are bulletproof and take extensive time to takedown causing a lot of fraud.

You will find that most TLD and ccTLD actually take action against activity albeit at different degrees within their ToS but most in one of the 3 categories:
(1) broadly addressing use or content, (2) containing specific use- or content-related provisions, and (3) not addressing use of domain name or content at all.

Many sites that do not perform hosting perform "action" for example link shortener services closing redirects, aws for example when providing domain name services and many others.

 

[Nighthawk]

"Services abound for gratis or cheap ‘registration’ of subdomains using third party parents acting as private subdomain registries. This is not abusive per se, however, not necessarily being ICANN contracted parties, many subdomain registries do not offer alternative dispute resolution or abuse reporting procedures. Many don’t collect or release complete registrant information or impose terms prohibiting abuse. As such they are often attractive to bad actors and some are havens for abuse. In one case, Google de-indexed the entire ‘co.cc’ parent along with 11 million third party subdomain sites."

Any comments from Staff members. Will Plesk start to take proactive measures against malicious content hosted on your subdomains ?

 

[IgorG]

@Nighthawk, what do you mean by proactive?

At least, we have protection that only Plesk users can create such phishing domains.

Also, we cannot predict that the generated domain will be used for phishing. So it's not clear what proactive measures you mean.

I can also add that reactive we block such domains within 12 hours. It is true that websites are not owned by Plesk, but temporary domain names are resolved by our DNS infrastructure, and we are blocking the phishing domains on a daily basis. All requests should be sent to the [email protected] address.

More than 50 000 Plesk servers are working under temporary hostnames for now (a vast number). We have statistically proved data that this feature increases the first login to Plesk conversion and helps new customers onboarding.

 

[Nighthawk]

I can also add that reactive we block such domains within 12 hours. It is true that websites are not owned by Plesk, but temporary domain names are resolved by our DNS infrastructure, and we are blocking the phishing domains on a daily basis. All requests should be sent to the [email protected] address.

Thanks, this is useful information. The fact that you are indeed blocking domains is great and all I wanted to clarify.

The initial post by Peter is correct, a complainant should exhaust its remedies with the hosting provider first. I agree with this. But in incidents of DNS abuse where the name of the phished company appears in the URL many providers such as those in the DNS Abuse Framework will proceed with takedown on a registrar level. I understanding taking sites down based on content and the legality online without geographic laws is difficult from your perspective only being able to view the site content as everyone else does.

Proactive, would be perhaps limiting the creation of custom subdomains in your zone. Although most users use "adjective-scientist.xxx.xxx.xxx.xxx.plesk.page", many prepend with malicious subdomains "bankname-login.xxx.xxx.xxx.xxx.plesk.page". I understand this might be limiting and it is up for debate distinction is critical in order for the Internet to remain open for free expression.