According to security researchers, over 2,000 WordPress sites have been hacked to fuel a campaign that redirects visitors to scam sites containing unwanted browser notification subscriptions, fake surveys, giveaways, and fake Adobe Flash downloads. Security firm Sucuri detected this hacking campaign last week. Some of the vulnerable plugins seen being exploited are the “CP Contact Form with PayPal” and the “Simple Fields” plugins.
>2000 WordPress sites were found to have malware redirecting visitors to malicious sites either hosting scams or downloading more malware.https://t.co/WtC22rV9sq#wordpress #malware
— Cyber Vigilance UK (@Cyber_Vigilance) January 23, 2020
An organization\’s \”front door\” is their website and a target for criminals as they attempt to gain access to install malicious code and malware for all who visit their website. The security for the website should be extremely robust with a well documented and repeatable change control program, including regular patching.
Organizations using plugins need to verify all updates and test them to reduce the risk of infecting users who visit their website. The determination of the validity and importance a plugin is for their website is part of the chagne control and security supply chain program. The security supply chain provides organizations the opportunity to audit the plugins, whether it\’s done with vulnerability scans or manually checking the code from the developer. These practices can greatly reduce the likelihood of a data breach or a defaced website.
Organizations that face these types of attacks should have a well documented backup and repeatable rollback procedures in the unfortunate attack of their website so they can stay operational with the least amount of downtime.
Campaigns that redirect users of legitimate sites to scam sites underscore the problems with relying on digital third-parties. While digital third-parties provide much needed support to websites that must meet the growing demands of website users, they also expose site owners and users to security and privacy risks. The code they run on today\’s websites lie outside the website owners\’ perimeter. As a result, owners don\’t know who\’s running what code on their sites, and what impact this might have on users. Meanwhile, bad actors are capitalizing on this growing reliance on digital third parties, who all too often bring their software to market without much thought given to security and privacy. While this arrangement may have worked in the past, the passage of the CCPA has shaken up the industry with stiff penalties and private right of action in case of a breach. The upshot, companies can no longer take privacy and security lightly.
WordPress plugins are another example of third-party risks to websites, and have been a frequent target in the past. A single compromised plugin can infect tens of thousands of websites in one stroke, hence they remain a popular attack vector. The technique seen in this attack is very similar to what we see with Magecart attacks where additional scripts are loaded from malicious domains. These scripts can perform any action ranging from hijacking the user to a scam site, or sniffing PII from form fields. Website owners must be cautious while using external plugins and ensure they stay up to date with security patches.