FTP Account Access Details Hijacked

It may just be a coincidence, but since I installed version 4.3.5 of WinSCP my cPanel access details have been hijacked and my email accounts have been used for spamming. HostGator support said:

From our experience with malware of this nature, the user account passwords are compromised though viruses/malware located on your local computer. This malware sniffs out passwords used and stored by FTP programs or e-mail clients.

Aren't WinSCP access details secure? I am doing a full virus/malware check but after 8 hours nothing has been found yet. What are the likely culprits for this kind of attack? Could it be a server-side issue? Support changed my access details in the morning but by early evening it had been hijacked again.

Please advise.

SQL Injection and cross site scripting attacks most of the time poor programming on the webcoders sides.

@NonaSuomy: Thanks for the reply.

My cPanel password is being changed by someone other than me. Can SQL injection/cross site scripting be used to do this?

Sure anything is plausible also the site you are using cPanel on could have an older version with exploitable holes in it if the webadmin has yet to update the code or enable harder security on it a lot of websites don't even hash and salt their passwords in the database where they are stored so the passwords can be seen in plain text or decrypted with easy to find pentesting tools. Also you yourself could have picked an insecure password that was easily bruteforced or maybe a former employee that knew the password etc or even a misguided webform you thought was yours that you were logging into but instead was a phishing attack.

There are so many variables you are never safe no matter what you do just do your best.

Quick google search brought up this:
<invalid hyperlink removed by admin>

For more information on the terms said above check out the articles below.

• https://en.wikipedia.org/wiki/SQL_injection
  
• https://en.wikipedia.org/wiki/Salt_(cryptography)
  
• https://en.wikipedia.org/wiki/Password_cracking
  
• https://en.wikipedia.org/wiki/Phishing
  
• https://en.wikipedia.org/wiki/Cross-site_scripting
  

Good luck!

Absolutely brilliant response, @NonaSuomy, I really appreciate you taking the time to explain it and provide the links.

Cheers & thanks.

stakemaster wrote:

Aren't WinSCP access details secure?

Please read https://winscp.net/eng/docs/security_credentials
Particularly the section "Storing password".

Also keep in mind, that a standard FTP server does not use encryption, so everytime you enter your username and your password, it is sent unencrypted over the net, quite easy to sniff.

Also if you connect to your control panel without SSL, like http://... all the data you send and receive is unencrypted. Always try to connect via SSL like https://... then all data is encrypted.

Another security hole is email, nearly every provider is sending you the welcome email.

hello new customer, you panel can be found under https://..., your username is: foo your password is: bar

The email is unencrypted, so everyone who sniffs/gets/accesses the mail can login your panel.

After receiving a password via mail you should immediately login and change the password.

There are a lot more cases where someone can get your password, but I think you get the point, have you?

More good info, many thanks.