Website Malware Removal: Phishing

As we continue on our Malware Removal series we turn our attention to the increasing threat of Phishing infections.

Just like a fisherman casts and reels with his fishing rod, a “phisher-man” will try their luck baiting users with fake pages, often in the form of login pages. These copied website pages are cast into infected websites with the hope that some users will bite, and get reeled into giving away their secret data. Wielding the web development and scripting knowledge necessary to make forms that look convincingly realistic, hackers lure unsuspecting users into entering their credentials on the imitated page.

Sucuri - US Bank Being used in Phishing Campaign

Sucuri – US Bank Being used in Phishing Campaign

These infections are known as Phishing Lures.

Any website, regardless of platform, can be prey to phishing infections. Unlike other tactics that look to abuse audiences or take advantage of popularity, think Blackhat SEO infections, this one focuses on your web server resources. This type of infection leverages the compromised website as the housing shell and delivery mechanism.

This delivery mechanism is used to serve pages and scripts built to social-engineer users into thinking they are official providers, often in the form of emails.

Example of how Websites are Used via Emails

Example of how Websites are Used via Emails

Because of it’s design, the attackers are able to abuse the users trust.

Phishing attacks can be devastating to the compromised website. Due to a damaged reputation, the website can suffer drops in search engine rankings, along with the brand distrust that comes from harboring pages that steal private user information.

Example of a Website Blacklisted for Phishing

Example of a Website Blacklisted for Phishing

Many Lakes and Many Places to Phish

Do not be fooled into thinking some websites are immune to a phishing infection. Phishing is a conceptual task centered around taking advantage of the users trust. The attacker could be intent in distributing malware, stealing private / secret data, or any number of nefarious acts. They do it using deception and illusion; it is not bound to a specific technology, framework or CMS to make it work. The infection makes its way into files where it is able to deliver very official looking content to unsuspecting victims. If the user does not pay attention to the actual location of the URL or the SSL certificate, looking only at the webpage itself, then a password to an important social network, email portal or bank account could be exposed to a malicious attacker.

We have tracked numerous instances of phishing activity on websites that we protect, and have even documented examples of phishing in the wild. The following screenshot demonstrates where a phishing page had been hidden inside a Joomla website:

Infected Joomla website, phishing with fake Chase Bank page

Infected Joomla website, phishing with fake Chase Bank page

It did not do much to disguise itself, as it was simple to exploit an unpatched vulnerability in the Joomla website. It then created a new directory in the root of the website where the fake Chase Bank pages could be hosted.

These pages coerce the user into giving away personally identifiable information (PII) as part of a “customer satisfaction survey” that offers a chance to receive a cash prize as incentive for filling it out. In actuality, the personal information and credentials are being captured by way of having all details of POST requests logged in a nearby file. This means anything submitted through the phishing form will be recorded by the hacker. As an added bonus, the infection also attempts to hook into the victim browser and steal any active cookies for use in accessing other accounts as well.

Looking back at another post written about Phishing on Magento Sites, it can be seen that the same style of attacks can apply to multiple ecosystems. Utilizing the ins and outs of HTML, ASP, PHP and JavaScript, a phishing file can live in any kind of environment that a webserver can provide, this is true for all website regardless of platform and technology.

WordPress is no stranger to Phishing attacks, similar to the examples above with Magento and Joomla, there are various cases that show how WordPress websites are being abused with Phishing infections.

Using Better Bait and Tackle

QR Code Phishing

QR Code Phishing

What makes this difficult to detect as an attack is all the additional layers of illusion that prevent victims from seeing that they are not actually getting to where they want to go. Once these pages are generated and placed onto a host website, they are ready for distribution to unknowing users. It is not prudent to simply ask them to do their banking at NotABankingSite.com/new-folder/bank-account-page.php. However, it gets trickier when link-shortening services are used, or carefully crafted subdomain/domain name combos are made to look like real addresses, as in the following examples: facebo.co.uk, or account-1.chase.com.on-linebanking.com, or simlt bit.ly/11jeGil. Going a step further, information thieves can weave these links into emails to resemble real messages from official companies, making them even harder to spot. An attacker can even make custom QR codes to entice users to access a link without ever displaying the text of the URL to the phishing page.

Removing Phishing Malware

When we talk about removing, we have to understand that the issue with Phishing is not removing, but detection. Unlike other attack methods that depend on browser events to occur, Phishing lures sit idle until employed by the attacker (i.e., used in email, sms, social media, etc.. campaigns).

Phishing pages in it of themselves often don’t have malware injected in them, so they don’t attempt at doing anything malicious to the users machine or browsers. Instead, they depend on the users naiveness to capture their information once they freely give it up.

Unlike, other infection types, Phishing pages are also not injected in existing code bases, or linked to the site itself. This thwarts most of that the tools that search through websites, following links to pages in the sitemap and checking source code for malicious injections.

With that in mind, when we talk about removal, we have to first focus on detecting the infection. Here are some of our recommendations:

  1. Know your website, it’s site structure and what belongs.
  2. Employ tools that allow you to see when things change.
  3. Monitor all changes to core installation directories.

More often than note, attacker really love to inject their Phishing payloads inside the core directories of a website (most applicable to those that leverage a CMS). This means they are leveraging directories like /includes and /administrator in Joomla! and /wp-admin and /wp-includes in WordPress. Along with a number of others. Because of it’s nature however it’s impossible to guess where exactly it will be.

Because of these challenges, we recommend always replacing the core files of your website, if possible. Note however that it is not a matter of reinstalling the files, you must physically delete the core directories and install fresh a new copy. The reason for this is that when you reinstall via most CMS platforms they will only update existing files, they don’t remove all files and start fresh. If you recall our conversation above, Phishing infections are often stand alone files that sit idly waiting to be leveraged.

Another great remediation option is to regularly run an integrity check on all directories and files. You are checking to see if new files are added to directories, while also looking to see if files change (e.g., content changes, time stamp changes, access times). A script meant to compare the contents of an infected server to that of a clean server would reveal the discrepancy in lines of code and lists of files among the core assets of any CMS or website framework.

If a WordPress website is in use, site owners can take advantage of the Free WordPress Sucuri Security plugin, available int he WordPress repository. For those managing their own servers, we’d recommend looking at a Host Intrusion Detection System (HIDS) solution, something like OSSEC.

When it comes to Phishing, unfortunately, there is no simple answer at the moment, and while it’s not a Do It Yourself (DIY) type project, there are things you can do as outlined above. Your best defense is either employing professionals to help, or taking a more proactive posture to your security.

Website owners should perform regular audits, and constantly monitor the code and files that reside on their server, making it easy to spot phishing pages that are out of place.

Deep Dive into the HikaShop Vulnerability

It’s been two months since our disclosure of an Object Injection vulnerability affecting versions <2.3.3 of the Joomla! Hikashop extension. The vulnerability allowed an attacker to execute malicious code on a target website.

How Does Object Injection Work?

Object Injection occurs when raw user input is passed to an unserialize() function call. When this happens, someone with malicious intent can send a serialized instance of a class known in the current application’s context, ensuring that at least one of these class’s defined as magic methods will be executed at some point in the code.

Read More

WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability

The popular Mailpoet(wysija-newsletters) WordPress plugin had a serious file upload vulnerability a few months back, allowing an attacker to upload files to vulnerable sites.

This issue was disclosed months ago and the MailPoet team patched it promptly. It seems, though, that many website owners have still not gotten the word, or are blatantly not updating, because we are seeing another string of mass exploitation attempts against WordPress websites. Those that are not or have not updated are getting infected repeatedly via this vector. The issue is compounded further because the attackers are using it as a spring board into the rest of their account further compromising their entire account.

Please, we cannot stress the importance of updating enough, and not just your active website, but any other websites you have in your stack, under the same account. Cross-site contamination is a very serious issue. If you can’t update for whatever reason, employ the use of a Website Firewall, at a minimum, and stop the attackers before they get in.

The Payload

We are lucky because the volume of infected websites we see daily allows us to analyze and clean hundreds of websites which then allows us to establish processes that escalate cases if they trigger specific similarities. It’s part of our pattern recognition process. It’s at this point that our Research team gets involved to better understand the cause and introduce new solutions to 1) clean it faster and 2) see if there is something we can do to get ahead of it (it’s what leads to these posts).


Read More

Vulnerability found in the All in One SEO Pack WordPress Plugin

The team behind the All in One SEO Pack just released a new version of their popular WordPress plugin.

It is a security release patching two privilege escalation vulnerabilities we discovered earlier this week that may affect any web site running it.

The risks

If your site has subscribers, authors and non-admin users logging in to wp-admin, you are a risk. If you have open registration, you are at risk, so you have to update the plugin now.

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

How to prevent this from happening

We’re not going to reinvent the wheel on this one: upgrade to the latest version available for this plugin.

In the event where you could not do this, we highly recommend you to have a look at our CloudProxy WAF which has been updated to protect our customers from this threat.

WordPress Themes: XSS Vulnerabilities and Secure Coding Practices

As many might imagine, my life revolves around Information Security. If you’re like me, you’re undoubtedly seeing all these new posts talking to insecurities in WordPress themes, specifically a plethora of Cross-Site Scripting (XSS) vulnerabilities. Surprise, surprise, right? Yeah, no, not so much.

WordPress Theme XSS Vulnerabilities

Here are some of the posts I am referring to:


Read More