Threat actors hijack outdated WordPress sites
Hundreds of compromised WordPress sites have been running malicious phishing adverts – with the code pretending to be legitimate plugins for the content management system, the Cybernews research team has learned.
Researchers at Cybernews got their first lead in December, during a routine scanning operation. It led to the discovery of an illicit money-making scheme that compromised hundreds of sites, using outdated versions or WordPress and employing lackluster security measures. The affected pages were then forced to run bogus ads linked to malicious sites.
To accomplish this, cybercriminals breached the websites using exploits or credential stuffing attacks. By injecting a PHP script, they turned the websites into command and control points, which served malicious advertisements when triggered by second-phase scripts or opened by a link.
Interestingly, Cybernews researchers found the malicious PHP scripts were all masquerading as legitimate plugins for the WordPress Content Management System (CMS).
It is thought that the first phase of all iterations of this attack compromised four WordPress sites that were used to host command and control scripts, while the second stage mostly targeted older versions ranging from 3.5.1. to 4.9.1.
In this way, our research team has discovered that the attackers successfully compromised at least 560 WordPress sites, forcing 382 of them to run malicious code. Fortunately, due either to mistakes or built-in security measures of the WordPress CMS, not all of the compromised websites earned revenue for the perpetrators.
Moreover, just seven in ten of the sites were found to be serving malicious ads, due to either technical reasons or built-in theme security that prevented the code from running in places where it was not supposed to run.
The most badly affected country was the US, which had 201 websites compromised, followed by France (62 websites), Germany (51 websites), and the UK (34 websites).
The three worst hit hosting providers were GoDaddy (42 websites), WebsiteWelcome (30 websites) and OVH ISP (27 websites). When the data was indexed by ISP, a slightly different picture emerged: OVH SAS topped the list with 55 websites hacked, with Unified Layer in second place (53 websites), and GoDaddy in third (43 websites).
Tracing back the steps
Cybernews discovered the compromised WordPress and identified four different iterations of the attack, with the last malicious command and control script residing at btlawfirm.com. “All of these contained different domains and some featured small differences in the malicious code,” it said. “However, we suspect that the result was always the same.”
Careless hosting security
Cybernews researchers reported the compromised sites to service provider HostGator, which has since taken down the malicious code and likely informed website owners of the breach. The team suggested that more could have been done by the provider to help identify compromised sites and report them to owners, who in many cases were not being updated about newer versions – leaving them prone to breaches.
“It is important for hosting services to identify what is being hosted,” said a spokesperson for Cybernews. “Maybe more could be done by the provider to help identify the compromised sites and report them to the owner. The issue with Wordpress site owners is that in a lot of cases they are not being updated about newer versions, which makes them prone to breaches.”
“Why are old, vulnerable versions of WordPress even kept by hosting providers in their service lists and not updated by default?” Cybernews asked.
Older more vulnerable versions of WordPress had been retained in service lists, instead of being updated by default.
“Everybody who is tech-savvy enough knows that software versions that have reached end-of-life are insecure and pose a risk not only to their servers but to their users as well,” said Cybernews.
“We reported this case to the hosting provider of this website and it seems that the malicious script was taken down and the website which was running it was reset.”
The hacker’s gift that kept on giving
Cybernews said the threat actors had taken a “really simple but interesting approach” to evade firewalls and other security measures.
“The payload responsible for these redirections was reversed, thus extending the lifetime of the attack and revenue generation,” it said. “What’s more, the code trigger was delayed and deployed at random times.”
Worse still, because the likelihood of a breach being triggered increased with every successful automated hack, the probability of malicious ads being served on infected sites increased exponentially.
But this attack vector, though potent, meant that it was easier to locate. This – along with the apparent carelessness of the threat actors – allowed the Cybernews team to conduct tracing to identify victims of the infected code.
“This approach of the threat actors and the decision to not check whether their malicious code was already included previously resulted in multiple failed hack attempts and a rather large digital footprint,” said Cybernews.
More from Cybernews:
Subscribe to our newsletter