We get thousands of spam and phishing emails daily. We use good spam filters (along with Gmail) and that greatly reduces the noise in our inbox. Today though, one slipped through the crack and showed up in my personal inbox:
As I went to mark the email as Spam, I decided to hover over the link. I saw that it was pointing to a compromised WordPress website and the phishing page was hidden inside wp-includes: httx://www.uncannyhawaii. com/wp-includes/js/lexx/loading.htm.
We detect and remediate thousands of compromised WordPress websites every month, most are used for spam and malware distribution; and many often demonstrate some sign of Phishing abuse. We have talked about Phishing before as well, it is always hard to detect remotely because the attacker is able to hide the payload anywhere in the site. They hide it in sub-folders that are not linked from the main pages. This causes our SiteCheck scanner to overlook them, making it impossible to see. We rely heavily on our server-side scanning to detect Phishing pages, but prospective clients would not have access to it.
This prompted further investigation, mostly because I was curious of what I would find. As soon as you click on the phishing link you see a fake Gmail login page, just like this one:
This is not uncommon, we have seen this before. The attacker records the users username and password, send it back to the Command and Control (C&C) node and responds to the browser with a not-available page. The user is often non the wiser, assumes there is a time out in the service and goes about their business. Once they realize what has happened, there is often little they can do, the compromise has occurred.
This user name / password combination makes it’s way onto a user / password list that can later be sold or attacked by the hacker.
The kicker to this story is that the the website owner is likely unaware of how their website is being abused and misused. This is in all too common trend these days. Attackers have an arsenal of options once they gain entry to your website, what you see is often only 10% of the problem.
To illustrate the impact and correlation between Phishing attacks and more traditional Malware attacks we can take a quick look at the Google Transparency report:
What you see in this report is a gradual increase in daily detection of Phishing pages by the Google Safe Browsing team. In 2008 there were approximately 3,000 Phishing pages detected a day, today you’re looking at 23,000 plus. The problem is growing exponentially each year.
Not a unique Story
As is often the case when I find something interesting, I rallied the research team for some hunting. We spent some more time going through our spam folders, in an effort to compile a list of WordPress specific websites that had been compromised.
Within minutes, we were able to find hundreds of compromised WordPress sites being used, here is a very small subset of the ones we found:
As you can see, the attackers are able to somehow compromise these sites and hide Phishing directories in a variety of locations inside wp-includes and wp-content.
How are these sites getting hacked?
That’s always the first question that people ask us. We analyzed all the WordPress sites we found and 73% of them were updated (either running 3.9.2 or 4.0).
The other 20+% were running some old versions of WordPress (some still on the 2.x branch).
So the question goes, if these sites are updated, how are they still getting hacked? We obviously didn’t have server or log access to do a full audit, and the sites seem to be located on different hosting providers.
So we put one of our researchers to work, Joseph Herbrandson. His goal was simple, find the common denominator. What he found was that a very high percentage of them were running a vulnerable WordPress plugin, whether it suffered from Remote Command Execution, SQL Injection or any of the variety of software vulnerabilities we love to chat about. They included out of date versions of contact-form-plugin, feed<, contact-form-7 and the list goes on.
While it’s impossible to confirm, it would seem that the point of entry is most likely attributed to the exploitation of software vulnerabilities (granted without access we might never know). This would leave us to believe that attackers are employing their exploit arsenal against known vulnerabilities in the hopes that something sticks, and when they do, they go about doing their business to gain access to the environment.
Some of the attackers were not very careful and left their tools behind (in zip files). We are able to find a couple of email addresses being used to receive the credentials:
If you see anything in your mail logs to (or from them), you know someone fell victim to the phishing lure.
As we stated in the beginning, detecting phishing is very hard to do remotely via a website scanner. As you can see in some of the examples, the phishing is hidden inside directories like “wp-content/uploads/2014/04/wash/” that are not linked on the main site. That’s why if you have a phishing, our free SiteCheck scanner will not flag it.
We leverage server-side scanning for our clients, where we go through each file and directory to try to identify hidden phishing, backdoors and other types of injections that are not linked within the site. That way we do not have to rely on 3rd party blacklists or email honeypots to see if a site is being exploited. Our Website Firewall also blocks access to phishing files and prevent them from being used.