Wordfence, the security plugin for WordPress sites, reported in its blog this week that its Threat Intelligence Team observed a single malware campaign target more than 900,000 WordPress sites over the past month, with over half of the attacks occurring on May 3. The researchers clocked over 24,000 distinct IP addresses launching the mammoth attack, which takes advantage of previously known vulnerabilities. While fixes have already been developed for the flaws – some from years ago – the attackers are banking on the notion that many WordPress site owners have still not updated.
The ongoing attacks are two-pronged. Primarily, they inject malware into the WordPress site, which redirects visitors to a malvertising page; and secondly, they attempt to create a backdoor for future malware payloads that would give the attackers full control of the site. In order to create the backdoor, the administrator needs to be logged in at the time of the attack. Otherwise, the attackers simply plant the malvertising redirect.
“There are more than 400 million websites powered by WordPress,” commented Avast Security Evangelist Luis Corrons. “Under this platform you can create a website using any of the thousands of plugins available, which were created by thousands of different companies and/or users. At the end of the day, these plugins are just pieces of software, which can have vulnerabilities. If website owners don’t update regularly, their sites will be an easy target for cybercriminals.” Indeed, the vulnerability most often exploited in these attacks involves a flawed third-party plugin. In its blog post, Wordfence advised all users to make sure they have deactivated any plugins that WordPress has removed from their repository.
Breach affects 28,000 GoDaddy hosting accounts
Web hosting company GoDaddy sent a notification to affected users this week informing them of a data breach that compromised their web hosting account login credentials. They attribute the breach to one attacker, stating that the individual has since been blocked from their systems. The company told Bleeping Computer that 28,000 customers were affected, emphasizing that only the hosting account credentials were compromised and not the users’ main GoDaddy accounts.
This week’s stat
Snake ransomware strikes at Fresenius
Europe’s largest private hospital operator, Fresenius, suffered a ransomware attack which limited some operations at the company, according to InfoSecurity. Fresenius is comprised of 300,000 employees across 100 countries, and is one of the leading providers of dialysis treatment and kidney care, services that are more in demand than usual due to the coronavirus pandemic. A Fresenius spokesperson said the company’s IT group is “continuing to work on solving the problem as quickly as possible.”
User info found in resold Tesla parts
A white hat hacker known as GreenTheOnly purchased 4 secondhand Tesla computer units on eBay and found that the previous drivers’ personal information was still stored in the units’ memories. The hacker told InsideEVs that each module contained the previous owners’ home and work location, all saved Wi-Fi passwords, calendar entries, call lists, and address books from paired phones, and stored session cookies for services like Netflix. Tesla has not commented on the discovery, but a source told InsideEVs that Tesla technicians are instructed to damage and trash removed computer units. It is unclear if the parts bought on eBay were being sold by Tesla employees or dumpster divers close to the service center.
This week’s quote
“This hack used to be something that only very niche and sophisticated developers understood. But now the entire ad-tech industry understands it,” said researcher Zach Edwards, who discovered that Quibi, JetBlue, Wish, and more companies giving away millions of email addresses to analytics companies.
Favicons compromised for card-skimming
A malicious icon hosting portal hid payment card-skimming code in favicons, which are the identifying icons some websites include in their browser. ZDNet reported that malicious URL MyIcons.net ran a sophisticated scheme – it provided users with legitimate non-malicious icon image files for every page except for checkout pages. For checkout pages, it instead provided images compromised with malware that could generate phony checkout forms that steal user card information. Researchers noted that site owners looking into MyIcons.net could easily have believed it’s an authentic website, as it was an exact clone of the legitimate IconArchive.com portal.
Hacker bribes Roblox employee for admin access
A hacker told Vice that they first paid a Roblox insider to perform data lookups for them and then targeted a customer support representative. By manipulating the Roblox personnel, the hacker was able to gain access to the customer support panel, which allowed them to see the personal details of over 100 million active monthly Roblox users, change passwords, ban users, sell off account inventories, and more. Roblox characterized the hack as a social engineering attack, which indicates the hacker probably used phishing tactics. After infiltrating the site, the hacker contacted Roblox to inform them of the hack and to ask for a “bug bounty” cash reward. The company refused, as the hacker’s intent seemed to be more malicious than academic.
This week’s ‘must-read’ on The Avast Blog
20 years ago this week, the world faced one of the most devastating computer viruses ever – the ILOVEYOU virus. Learn more about the state of viruses today and how we can prepare ourselves in the future.
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN. Get advertisers off your back and disguise your online identity for greater privacy with Avast AntiTrack.
*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: https://blog.avast.com/malvertising-attackers-target-900000-wordpress-sites