Phishing Scammers Use WordPress, Abandoned Sites to Host Malicious Pages

Hackers are using abandoned websites, smaller ones with little traffic and few security features, and those built atop the WordPress platform to house the malicious pages that are part of their phishing attacks.

Hosting fake pages on such sites are part of a larger drive among bad actors running phishing campaigns to generate as much income as possible from those pages while using minimal effort and cost, according to researchers with Kaspersky.

Automating their attacks through phishing kits or Telegram bots are examples. Hacking existing websites rather than spinning up and registering new domains is another that is popular with phishing operations of all sizes, researchers Tatyana Machneva and Olga Svistunova wrote in a report this week. And this move comes with multiple benefits.

“Besides tucking a phishing page inside the website they hack, scammers can steal all of the data on the server and completely disrupt the site’s operation,” they wrote.

Threat groups continue to run phishing campaigns as ways to steal money and sensitive information from victims or to launch ransomware and other attacks. According to Proofpoint, 84% of 1,050 InfoSec and IT professionals said their organization sustained at least one successful phishing attack in 2022. In addition, the financial loss of phishing attacks jumped 76% between 2021 and last year.

Long-Forgotten and Smaller Websites

Some phishing campaigns direct potential victims to malicious pages on otherwise legitimate websites. Kaspersky’s report found that abandoned and poorly maintained sites are popular among scammers.

“A lack of maintenance and security patches means [abandoned websites] are easy to compromise using a known exploit,” Machneva and Svistunova wrote. “Besides, on a long-neglected site, phishing pages can stay up for long periods of time, as no one monitors what gets published, which is exactly what scammers look for.”

At the same time, smaller sites that don’t drive much traffic also are targeted by hackers. The sites’ owners may not be able to spend the money needed for security measures on the site or to hire cybersecurity professionals. They also may not be familiar with security settings or believe that the small size of the websites make them unattractive to threat groups.

“However, to a phisher, the possibility of hacking the website is more important than its popularity, as links to scam pages are likely to be emailed or sent via instant messaging platforms,” the researchers wrote. “Therefore, even smaller websites are an attractive target for scammers.”

WordPress is Getting Hacker Attention

So are sites built on the WordPress platform, which powers more than 43% of all sites on the internet, they wrote, citing numbers from tech survey company W3Techs.

It’s not just the popularity of the platform that catches the attention of hackers, but also the prevalence of third-party plugins and vulnerabilities on system. There also are multiple avenues into WordPress sites that bad actors can take.

“Websites powered by WordPress often suffer from vulnerabilities that allow scammers to easily gain access to the control panel using a special script and publish malicious content,” the Kaspersky researchers wrote. “Alternatively, hackers can brute-force the administrator’s credentials or use a stolen password.”

They can exploit security holes to upload a WSO web shell to bypass the authentication step and get access to the site’s control panel, which allows them to make any changes they want. Kasperksy’s systems in May detected more than 350 unique domains that had open access to the control panel, though the real number of such sites may be higher, the researchers wrote.

Attackers also may brute-force their way past weak passwords or get in via leaked credentials, giving them access to the control panel.

“Sometimes, hackers leave the site’s main functionality in place as they publish phishing pages,” they wrote. “A visitor would never guess the site has been hacked: every section is where it is supposed to be, and only relevant information can be seen. Scammers hide their malicious content inside new directories that cannot be accessed from the main website menu.”

That said, most of the hacked sites include broken links to other sections on the home page because scammers will delete original directories and replace them with phishing content.

Control Panels Open Doors

Access to the control panel is key. That is where such data as credentials, bank card data, and other personal information is stored. A web shell will allow anyone to have access to the data, all of which can make the attackers even more money through selling it on the dark web, using it to steal money from a victim’s bank account, and leveraging it to lend other scams more credibility.

All of this is working. Between May 15 and July 31, Kaspersky found 22,400 unique WordPress sites that were hacked to create phishing pages. During that same stretch, users tried 200,213 times to visit fake pages housed on compromised sites.

Though scammers may try to make these fake pages look credible, there are ways to recognize a WordPress-based that site has been hacked, including seeing default names of WordPress directors in the URL. Other indications include the name of the imitated brand appear in the name of a directory and content on a page being unrelated to the rest of what’s on the website.

In addition, administrators can take a number of steps to protect their websites, including using strong and unique passwords and multifactor authentication to keep accounts from being hijacked, regularly updating software on the servers, and deactivating unused plugins, according to Kaspersky.

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 328 posts and counting.See all posts by jeffrey-burt