Comments On Thousands Of WordPress Sites Hacked To Fuel Scam Campaign

By   ISBuzz Team
Writer , Information Security Buzz | Jan 23, 2020 04:30 am PST

According to security researchers, over 2,000 WordPress sites have been hacked to fuel a campaign that redirects visitors to scam sites containing unwanted browser notification subscriptions, fake surveys, giveaways, and fake Adobe Flash downloads. Security firm Sucuri detected this hacking campaign last week. Some of the vulnerable plugins seen being exploited are the “CP Contact Form with PayPal” and the “Simple Fields” plugins.

Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
James McQuiggan
James McQuiggan , Security Awareness Advocate
January 24, 2020 3:48 pm

An organization\’s \”front door\” is their website and a target for criminals as they attempt to gain access to install malicious code and malware for all who visit their website. The security for the website should be extremely robust with a well documented and repeatable change control program, including regular patching.

Organizations using plugins need to verify all updates and test them to reduce the risk of infecting users who visit their website. The determination of the validity and importance a plugin is for their website is part of the chagne control and security supply chain program. The security supply chain provides organizations the opportunity to audit the plugins, whether it\’s done with vulnerability scans or manually checking the code from the developer. These practices can greatly reduce the likelihood of a data breach or a defaced website.

Organizations that face these types of attacks should have a well documented backup and repeatable rollback procedures in the unfortunate attack of their website so they can stay operational with the least amount of downtime.

Last edited 4 years ago by James McQuiggan
Mike Bittner
Mike Bittner , Associate Director of Digital Security and Operations
January 24, 2020 12:01 pm

Campaigns that redirect users of legitimate sites to scam sites underscore the problems with relying on digital third-parties. While digital third-parties provide much needed support to websites that must meet the growing demands of website users, they also expose site owners and users to security and privacy risks. The code they run on today\’s websites lie outside the website owners\’ perimeter. As a result, owners don\’t know who\’s running what code on their sites, and what impact this might have on users. Meanwhile, bad actors are capitalizing on this growing reliance on digital third parties, who all too often bring their software to market without much thought given to security and privacy. While this arrangement may have worked in the past, the passage of the CCPA has shaken up the industry with stiff penalties and private right of action in case of a breach. The upshot, companies can no longer take privacy and security lightly.

Last edited 4 years ago by Mike Bittner
Ameet Naik
Ameet Naik , Security Evangelist
January 23, 2020 12:31 pm

WordPress plugins are another example of third-party risks to websites, and have been a frequent target in the past. A single compromised plugin can infect tens of thousands of websites in one stroke, hence they remain a popular attack vector. The technique seen in this attack is very similar to what we see with Magecart attacks where additional scripts are loaded from malicious domains. These scripts can perform any action ranging from hijacking the user to a scam site, or sniffing PII from form fields. Website owners must be cautious while using external plugins and ensure they stay up to date with security patches.

Last edited 4 years ago by Ameet Naik

Recent Posts

Would love your thoughts, please comment.x