Bluehost and SiteLock Still Trying To Profit Off of Phishing Emails Being Sent to Bluehost Customers

In August of 2017 we first interacted with someone that had gotten a phishing email made to look like it was from Bluehost, who then when they contacted the real Bluehost was attempted to be sold on a security service they didn’t need since there wasn’t any issue with their website. More than a year later Bluehost and their security partner SiteLock continue to do that. The latest incident is absurd on its own since they were trying to sell someone security services they largely couldn’t effectively use since there website is hosted with Squarespace, so much of the SiteLock service wouldn’t even work and others wouldn’t be relevant in that situation.

Below is the phishing email. Interestingly the domain used for the phishing is also a Bluehost customer (maybe that is from someone that fell for a previous phishing email).

Hello, [redacted]

We are contacting you today because we have disabled your outbound email services temporarily. The reason for this is because you’ve got a forum that spammers were subscribing to to get messages sent out. They used a spam trap email address that actually resulted in our mail server getting blacklisted.

We need you to add protection to it so it isn’t being exploited in the future. You will need to contact us and let us know this has been resolved for us to restore your email services.

For protection, we ask that you require an account to subscribe to topic notifications if you haven’t already. We also ask that you add protection to your sign-up page so that spammers cannot automate it. You can do this by using a captcha or something similar to that.

To activate your account, please visit our BlueHost account reactivation center. Use the link below:
http://my.bluehost.com.3483e5ec0489e5c394b028ec4e81f3e1.[redacted]/account/6626/reactivation.html

Thank you,
BlueHost.com Terms of Service Compliance
http://www.bluehost.com
For support go to http://helpdesk.bluehost.com/
Toll-Free: (888) 401-4678

Below is the email that was sent by SiteLock trying to sell this person on the unneeded services after they had tried to get in touch with Bluehost. Bluehost apparently directs people over to SiteLock before even doing basic checking to insure that there is actually situation that could use SiteLock’s input. The person that received this is not named Vish (or anything close to that) despite it being address to someone with that name.

You’ll notice they claim that the website has been infected, despite that not being the case or even what the phishing email claimed.

Hi Vish

Thanks for taking the time to speak with me today. Like I mentioned before your website has been infected and we need to clean it as soon as possible before its suspended by the host. The reason your website was fount with malware is that you currently have no security measures in place to stop malware from entering your site.

The simple solution to protect your website is adding a firewall as well as a smart scanner. The smart scanner removes malicious content from your source coding before it infects the website. Also a Firewall blocks any malicious traffic and hacking attempts from entering your website in the first place, its the single most important preventative measure you can have for your website. What I did was attach a couple of documents that fully go over the features of our upgraded scanner and firewall. You can also go to www.sitelock.com to get further details and services. If you have any questions or concerns my contact info is below.

So to break everything down price wise, it’s $30 dollars a month for our secure starter which includes a Professional firewall and Premium scanner. You will get a free cleaning for the website with this that will save you $300.

Best regards,

Secure Starter $30.00/Mo
Premium Scanner and Professional Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)

Secure Speed $50.00/Mo
Premium Scanner and Premium Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)

Secure Site $70.00/Mo with unlimited free manual cleans and vulnerability patching
Infinity Scanner and Premium Firewall
-Automated Malware Removal Tool (continual & non-stop scanning removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Unlimited access to our Cyber Engineers to manually adjust your website coding if malware removal tool does not clean the malware
– Multiple (19) Vulnerability Testing on the site


A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website.

4 thoughts on “Bluehost and SiteLock Still Trying To Profit Off of Phishing Emails Being Sent to Bluehost Customers”

  1. Yup! Today is 21 Dec 2018 and I just got that exact email (the first one) from Bluehost. When I contacted Bluehost tech support they denied that it was from them, and told me to delete it. I think it’s time to find a new web hosting company. Too bad.

    Thank you.

    1. The first email is a phishing email, so it wasn’t actually sent by Bluehost, so it sounds like they handled things correctly in your case, unlike in the case of the person that contacted us, so that wouldn’t be a reason to leave them.

  2. I would remove the link from the phishing email. Definitely a malicious link and not secure for you to have on your website. Also, this is not only being sent around bluehost. Also been seen with godaddy who does not partner with sitelock.

    1. If you are referring to the phishing page mentioned, it isn’t linked to, so there is a security issue with that.

      Phishing emails are sent masquerading as many companies, the issue here is that these companies are trying to profit off of them, instead of making sure to verify that there was a real email sent from the web host.

Leave a Reply

Your email address will not be published.