Netcraft stats on the increasing abuse for WordPress installations

Pierluigi Paganini March 28, 2014

More than 12,000 phishing sites analyzed by Netcraft are hosted on compromised WordPress installations, the websites were used also to serve malicious code.

Netcraft internet services company published a statistic which shows that nearly 12,000 WordPress instances were compromised in February, the attackers used the popular CMS to conduct phishing campaigns against targeted family of users, principally PayPal (25%) and Apple customers (17%). The compromised WordPress installations were also used to serve malware, but the interesting data is that many of nearly 27 million websites running WordPress analyzed by Netcraft’s team are vulnerable to brute-force password guessing attacks or lack of proper security settings. The news is not a surprise, always this month Sucuri firm detected a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect amplification vectors, in that case the botnet was composed at least 162,000 WordPress-powered websites abused to run DDoS attacks. According Netcraft compromised WordPress domains were responsible in February for more than 7% of all phishing attacks blocked by the company, 8% of the malicious URLs blocked by Netcraft in the same period were serving malware.

Netcraft WordPress installations phishing malware

Another common source of problems for WordPress installations are the plugins, WordPress instances and related add-ons require a proper level of management to the administrator that have to consider seriously the evolution of their applications. Despite security updates are automatic since the 3.7 version, the plugins must be also updated to avoid that attackers would exploit them.

Over its lifetime, WordPress has been plagued by security issues both in its core code and in the numerous third-party plugins and themes that are available. One of the most widespread vulnerabilities this decade was discovered in the TimThumb plugin, which was bundled with many WordPress themes and consequently present on a large number of WordPress blogs. A subtle validation flaw made it possible for remote attackers to make the plugin download remote files and store them on the website. This allowed attackers to install PHP scripts on vulnerable blogs, ultimately facilitating the installation of malware and phishing kits. Similar vulnerabilities are still being exploited today.” states the company blog post.

Security specialists observed that attackers use to deploy phishing content into WordPress directories ‘wp-includes’ and inside ‘wp-admin’ directory, also called dropzoneThe wp-content directory is particularly targeted because it is used by the CMS instance to store user’s content and for this reason it is almost always writable. Be aware the presence of dropzone on shared hosting environments are particularly critical, attackers can exploit file system permissions to inject malicious code on shared folders or another user’s wp-content directory. The APWG Global Phishing Survey report issued one year ago highlighted the fact that cybercriminal hack shared virtual servers for various purposes like bot recruiting and malware distribution, following an excerpt from the study:

“In late 2012 into 2013, we have seen increasing use of tools targeting shared hosting environments, and particularly WordPress, cPanel, and Joomla installations. For example, beginning in late 2012 criminals hacked into server farms to perpetrate extended DDoS attacks against American banks. And in April 2013, a perpetrator launched wide-scale brute force attacks against WordPress installations at hosting providers in order to build a large botnet. Tens of thousands to hundreds of thousands of these shared servers have been cracked by such techniques. Access and use of these boxes is then metered out in the criminal underground for all sorts of activities, including DDoS, malware distribution, and of course, phishing. These attacks highlight the vulnerability of hosting providers and software, exploit weak password management, and provide plenty of reason to worry.”

Some examples of directory structures used by phishing sites hosted in this directory on WordPress blogs include:

/wp-content/securelogin/webapps/paypal/
/wp-content/plugins/wordpress-importer/languages/image/Google/Google/
/wp-content/uploads/.1/Paypal/us/webscr.htm
/wp-includes/alibaba_online/
/wp-includes/www.paypal.com.fr.cgi.bin.webscr.cmd.login.submit.login/
/wp-includes/js/online.lloydsbank.co.uk/
/wp-admin/js/www.credit-mutuel.fr/
/wp-admin/maint/RBS-Card/index.html
/wp-admin/Googledoc/

WordPress installation must be hardened and all the plugins installed have to be updated to avoid the above problems.

“Enabling automatic background updates is an easy way to ensure that a WordPress blog is kept up-to-date, but a significant trade off is that every WordPress file must be writable by the web server user.” concludes the post

Pierluigi Paganini

(Security Affairs –  WordPress installations, Phishing)



you might also like

leave a comment