Cybercriminals have begun targeting WordPress sites (opens in new tab) running older versions of the world’s most popular CMS (opens in new tab) in order to use them to run malicious phishing ads.
Security researchers at Cybernews (opens in new tab) first found out about this new attack method back in December of last year during a routine scanning operation. However, their findings led to the discovery of an illegal money-making scheme that has been used to compromise hundreds of sites that are either running outdated versions of WordPress or don’t have appropriate WordPress security plugins (opens in new tab) installed.
In order to accomplish this, the cybercriminals responsible first breached the vulnerable websites using exploits or credential stuffing attacks. By injecting a PHP script into the targeted sites’ WordPress installations, they were able to turn them into command and control points that served malicious advertisements when triggered by either second-phase scripts or opened by a link. Surprisingly, all of the malicious PHP scripts found by Cybernews were all masquerading as legitimate WordPress plugins (opens in new tab).
Cybernews‘ Vincentas Baubonis explained in a new report (opens in new tab) how a piece of JavaScript (opens in new tab) code initially led the security researchers to investigate further, saying:
“This particular piece of JavaScript code caught the team’s eye because of heavy obfuscation and weird deployment conditions. Code obfuscation is a technique employed by legitimate developers and threat actors to prevent reverse engineering. In this case, it was used to reverse the actual payload for concealment of malicious code.”
Targeting older WordPress sites
After the malicious PHP scripts were made to look like legitimate plugins, automated attacks were launched against older versions of WordPress sites to insert references in their HTML that led to the previously hacked command and control points.
According to Cybernews, the first phase of all iterations of this attack compromised four sites that were then used to host command and control scrips while the second stage mostly targeted sites running older versions of WordPress ranging from 3.5.1 to 4.9.1. The publication’s research team found at least 560 compromised WordPress sites and of these, 382 were forced to run malicious code. Thankfully, as a result of either mistakes or WordPress’ built-in security measures, not all of the compromised sites were able to earn revenue for the cybercriminals responsible.
Additionally, just seven out of ten of the sites were found to be serving malicious ads possibly as a result of technical reasons or built-in WordPress theme (opens in new tab) security which prevented the code from running in places where it wasn’t supposed to.
When it came to the countries with the most targeted sites, the US had 201 compromised websites followed by France (62), Germany (51) and the UK (34). As for the web hosting (opens in new tab) providers hit the worst, GoDaddy (opens in new tab) took the top spot with 42 websites followed by WebsiteWelcome with 30 websites and OVH ISP with 27 websites. However, when the data was indexed by ISP, OVH SAS topped the list with 55 websites hacked with Unified Layer in second place with 53 websites and GoDaddy in third with 43 websites.
Cybernews’ latest report is yet another reminder of the importance of keeping your WordPress site up to date. If updating your WordPress site is something you often forget to do, then you might be better off signing up for a managed WordPress (opens in new tab) solution as opposed to doing everything yourself.
Via Cybernews (opens in new tab)