The Best Reason to use a Professional WordPress Developer

wordpress-locked

Thousands of WordPress sites backdoored with malicious code

Malicious code redirects users to tech support scams, some of which use new “evil cursor” Chrome bug.

 


Thousands of WordPress sites have been hacked and compromised with malicious code this month, according to security researchers at Sucuri and Malwarebytes.

All compromises seem to follow a similar pattern –to load malicious code from a known threat actor– although the entry vector for all these incidents appears to be different.

Researchers believe intruders are gaining access to these sites not by exploiting flaws in the WordPress CMS itself, but vulnerabilities in outdated themes and plugins.

Also: Access to over 3,000 backdoored sites sold on Russian hacking forum

When they gain access to a site, they plant a backdoor for future access and make modifications to the site’s code.

In most cases, they modify PHP or JavaScript files to load malicious code, although some users have reported seeing modifications made to database tables as well.

Malwarebytes security researcher Jérôme Segura said this malicious code filters users visiting the compromised sites and redirects some to tech support scams.

CNET: How to avoid tech support scams

He says some of the traffic patterns seen during the redirection process match the patterns of a well-known traffic distribution system used by several malware distribution campaigns.

Segura also said that some of tech support scams that users are landing on are using the “evil cursor” Chrome bug to prevent users from closing the malicious site’s tab, a trick that the researcher first spotted last week.

TechRepublic: Why that email from your boss could be a scam waiting to happen

This WordPress site hijacking campaign appears to have started this month, according to Sucuri, and has intensified in recent days, according to Segura.

Googling just one of the pieces of the malicious JavaScript code added to the hacked WordPress sites reveals just a small portion of the total number of hacked sites. In this case, this string search yielded over 2,500 results, including a corporate site belonging to Expedia Group, the parent company behind the Expedia portal.

wp-spam-campaign.png

Last week, ZDNet revealed that attackers had been scanning the Internet in an attempt to exploit a recent vulnerability in a popular WordPress plugin.

While Sucuri did not find confirm that this vulnerability was now being used in this recent wave of site hacks, the company did confirm our initial report, based on WordFence’s telemetry.

It’s time to update WordPress

update-wordpress

WordPress 4.9.1 Security and Maintenance Release

WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:

  1. Use a properly generated hash for the newbloguser key instead of a determinate substring.
  2. Add escaping to the language attributes used on html elements.
  3. Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
  4. Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.

Thank you to the reporters of these issues for practicing responsible security disclosureRahul Pratap Singh and John Blackbourn.

Eleven other bugs were fixed in WordPress 4.9.1. Particularly of note were:

  • Issues relating to the caching of theme template files.
  • A MediaElement JavaScript error preventing users of certain languages from being able to upload media files.
  • The inability to edit theme and plugin files on Windows based servers.

This post has more information about all of the issues fixed in 4.9.1 if you’d like to learn more.

Spearhead Multimedia clients, as well as all Wordpress users, may contact us to perform the update for you.

Always hire a professional.

hacked-wordpress-site
hacked-wordpress-site

When an inexperienced person attempts to build a website, this can easily happen.

The old adage, “You get what you pay for.” came into play recently when a potential client contacted us after deciding to let some cheapo “web developers” build her site.  They not only built a horribly bad looking, difficult to navigate site, they did nothing for security.  The result:  A site that is now distributing malware.  To top it off, it’s hosted on GoDaddy antique servers and probably infiltrating even deeper.  There are certain things of which you should not take the cheap route, you’ve all heard it before.  When you cheap with how you represent yourself and/or your business, it never does anyone any good.  Buy smart, do your research.

Font Resize