The Phishing Grounds

September 9, 2013 - 2 Comments

On August 15, 2013, Brian Krebs featured a screen shot of a fake Outlook webmail login page used by the Syrian Electronic Army in a phishing attack against the Washington Post. If you look carefully at the location bar, you will note that the domain used in the phishing attack is ‘’.

Washington Post Phishing Attack Page

The domain ‘’ is actually part of a suite of domains belonging to bills itself as a provider of “top class free web hosting services.” Just like free services offered by, has also become a haven for miscreants.

000webhost domain

Looking through all the subdomains that are in use at, we can find many suspicious looking domain names. The following subdomains have shown up since the beginning of September 2013 in passive DNS. Facebook, Yahoo’s Ymail, Google’s Gmail, Paypal, Twitter, and Microsoft Hotmail are all targets for abuse.

Cisco TRAC recommends that all organizations pay extra close attention to any traffic destined for free services such as this. There little chance that anything of value would be missed if these 000webhost domains were blocked wholesale by an enterprise.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. according to matt cutts(Google Head Web spam team). That website hosted in free hosting site are considering due to increase in spamming and duplicate content. Their for creating a website in free hosting website is not important.

  2. great article. As human interacts with any security system, nothing has been secure enough. We need to build machines (scripts & SSO systems) to do our jobs.