WHMCS Sites Spoofed

[Humanbeing]

Pretty much all WHMCS sites and their billing functions, ordering etc are being spoofed and proxied maliciously.

For example: https://www_whmcs_com.gamelaunch.goldwin.com/

To check if your site is also targetted, simply replace the first part in the URL with your domain.

What could be done to prevent this?

Edited Friday at 07:02 PM by Humanbeing

[bear]

That fails SSL checks, so never loads. I don't see how that's "spoofing" anything since it shows in the URL field as www_whmcs_ and so on, and again, won't load. 
How is it you even came across this unloadable URL?

[Humanbeing]

All whmcs functions (search, login, ordering, etc.) are being replicated in realtime on a malicious proxy site. How is that not a serious security concern? Not all customers can verify correct URLs in the address bar. Spoofing is when a URL mimics a legitimate website to deceive users into visiting fraudulent sites, often to steal login credentials or download malware.  A number of whmcs sites are affected. I provided whmcs's own website as an example. 

Edited Friday at 08:04 PM by Humanbeing

[bear]

It won't load for me at all. May be my browser or my security software (which says it's a malicious site), but it refuses. If nothing in yours says it's a bad idea to visit, I'd be concerned. 

[Damo]

Report the parent domain to the abuse address of the network hosting it. Thats about all you can do. 
This is not specific to WHMCS sites and its poor form to suggest people put their own website address in to it. 

[Humanbeing]

2 minutes ago, Damo said:

Report the parent domain to the abuse address of the network hosting it. Thats about all you can do. 
This is not specific to WHMCS sites and its poor form to suggest people put their own website address in to it. 

As stated above, whmcs sites are already actively copied and run by the offending server.  Putting your address hasn't got anything to do with it.

[Damo]

You can put any address in and it will 'actively' (as you say) pull and display the content. This site is not for  WHMCS sites specifically. 

[bear]

https://www.reddit.com/r/neocities/comments/1ptjfvd/gambling_site_imitating_neocities_sites/

 

[Humanbeing]

We never put our link in it, and yet it copied our site and was hitting our server nonstop. 

Our legal department has managed to take their server down.

[bear]

15 minutes ago, Humanbeing said:

it copied our site and was hitting our server nonstop. 

That likely means it's setting it into an iframe, and not copying. 
To test, have a read here. I'd try the javascript version first (don't forget <script tags>) and see if it still loads. 

Link didn't paste: https://medium.com/@kesen.somar.99/securing-your-website-how-to-disable-iframes-to-prevent-click-hijacking-attacks-98cd2004720f

Edited yesterday at 02:49 PM by bear

[Humanbeing]

15 minutes ago, bear said:

That likely means it's setting it into an iframe, and not copying. 
To test, have a read here. I'd try the javascript version first (don't forget <script tags>) and see if it still loads. 

Link didn't paste: https://medium.com/@kesen.somar.99/securing-your-website-how-to-disable-iframes-to-prevent-click-hijacking-attacks-98cd2004720f

Thanks 🙂 Our x frame and CSP safeguards didn't stop that from happening though. This is what we had:

Content-Security-Policy "frame-ancestors 'self';
X-Frame-Options "SAMEORIGIN"

Do you think Stripe/paypal function on whmcs would break if we set: Content-Security-Policy: frame-src 'none'; and  X-Frame-Options DENY

The below post says whmcs has built-in protections which clearly did not work: 

 

Edited yesterday at 03:04 PM by Humanbeing