WordPress Phishing: Target of Cybercriminals Worldwide

WordPress phishing attacks are now commonplace, with the sites a target for cybercriminals worldwide. WordPress and Phishing now go hand in hand. WordPress sites are being used by cybercriminals to obtain a wide range of sensitive data from users. In some cases, those sites are created by cybercriminals. In other cases, vulnerabilities in WordPress sites are leveraged and new content is created – content that captures users’ information. Exploit kits are also loaded onto the sites that download malware.

Today’s technical press was full of headlines about the recent WordPress updates -eWeek’s WordPress 4.01 Updates Millions of Sites for 8 Flaws for example.

The WordPress.org website describes the latest WordPress 4.0.1 Security Release as a “Critical security release for all previous versions” and says we “strongly encourage you to update your sites immediately.”  According to the release, all versions of WordPress are affected by a critical cross-site scripting vulnerability that could allow anonymous users to compromise a site.

At PhishMe this is not big news. In fact, it’s not really news at all. Why? Well, we know that the great thing about WordPress is the platform makes it quick and easy for any user to make a website! We also know that worst thing about WordPress is that it makes it quick and easy for any user to make a website! Not only does it make it very quick and easy for cybercriminals to make new WordPress sites, the platform is used by legitimate users to create a site, that they then forget about maintaining. Having a website and then choosing not to maintain it, or perhaps not knowing enough about web security to be capable of maintaining it, is actually a very dangerous thing.

When people ask us about WordPress, we often tell them a story. Once upon a time, in the summer of 1983, my brother John and I went hiking in northern Michigan with a couple Eagle scout friends of ours called Philip and Michael. We assured our parents we would be safe in the woods for a week by ourselves, after all, our friends were Eagle Scouts! As we were hiking, dozens of miles from the nearest paved road, we came across a small shed in the woods and inside the shed was a shotgun and a big box full of shells!

Being extremely responsible children, we of course notified the nearest authorities (ahem).

Having a WordPress website and failing to maintain it is exactly the same, in cyber terms at least, as leaving a loaded shotgun unattended on your front porch in a neighborhood full of curious teenagers. A dramatically high number of websites that are compromised and then used to distribute malware, to host malware C&C servers, and to host phishing webpages are made malicious as a result of carelessness by webmasters. Essentially the same as leaving a loaded gun on the porch or going on holiday and leaving the front door wide open.

When a curious teen or a convict picks up the gun and does harm to people, or when the house is burgled, it is easy to say “It wasn’t my fault!  I didn’t know!”  But perhaps we should start educating webmasters so they know that is not a valid excuse. Since we now know that cybercriminals target WordPress sites, leaving the sites with known vulnerabilities is nothing short of negligence. Your website could easily be turned into a WordPress phishing site if vulnerabilities are left unaddressed. Your site may also be used to infect all of your customers with malware.

How often does this really happen? One way to find many of these WordPress phishing sites is to look at the URL used in a phishing attack for evidence that it is a WordPress site. Many of these phishing attacks take the form of a Remote File Inclusion attack that often allows the user to inject their phishing content into a subdirectory of either the “wp-admin” directory or the “wp-content” directory.

We ran some searches in through our threat intelligence system to find out how many such pages we’ve seen. Just today there were:

  • Alibaba phish on “bluribbon.com/wp-admin” and “ambitionthekid.com/wp-admin/”
  • credit card phish on “resepmasakanalaindonesia.com/wp-includes”
  • TD Bank phish on “mariabobrova.com/wp-content/” and “jaw-photo.com/wp-content/”
  • generic email phish (AOL/Google/Microsoft/Yahoo) on “osiedlaimiasta.pl/wp-includes/” and “mariogavazzi.it/wp-content”
  • Paypal phish on “deluxetravelviajes.com/wp-content/”
  • Standard Bank phish on “woodsidenylawyer.com/wp-admin/”
  • AOL phish on “arkansaswebsiterentals.com/wp-content/”
  • Yahoo phish on “fenwaymarketing.com/wp-content/” and “pierrefauchard.com.br/wp-content/”
  • MayBank2U phish on “cascalhoriopreto.com.br/wp-admin/”
  • Halifax phish on “ics.com.ph/wp-admin/”
  • Royal Bank of Canada on “ohtleathercrafts.com/wp-content/”
  • Bank of America phish on “secureserver.net/~cables/wp-admin/”
  • BT.com phish on “accionpreventiva.cl/wp-content/”

And the business day is only half-way done!

Since January 1, 2014 we have seen:

  • 12,416 confirmed phishing URLS that contained the string “wp-content”
  • 6,054 confirmed phishing URLs that contained the string “wp-includes”
  • 4,255 confirmed phishing URLs that contained the string “wp-admin”

Those URLs were on 6,627 different domain names on 4,947 different IP addresses, at 164 different hosting companies. Sadly, the statistics make it clear that WordPress phishing websites tend to be clustered at hosting companies that offer cheap hosting with poor technical support. Often this is the result of “resellers” who use servers in those hosting company data centers to offer even cheaper webhosting deals with even poorer technical support.

Our checks showed six hosting companies had more than 100 domains hacked using a WordPress Remote File Inclusion attack — and five of those are in the United States!

We can’t put all the blame on the hosting companies. Many of them are providing “do-it-yourself” web services where the webmasters have chosen to NOT do-it-themselves when it comes to security!

Do you know a WordPress webmaster?  If so, make sure you share this article with them and have them upgrade by following the WordPress 4.0.1 Security Release guidance. If you do, you are helping to keep all of us safer from WordPress phishing attacks and malware downloads from WordPress sites!

Interview: Rohyt Belani, CEO, PhishMe
Cridex Malware Authors Warn Lloyds users of Dyre

Leave a Reply