Incident Response, TDR

Compromised WordPress sites increasingly used for phishing


Compromised WordPress websites are increasingly being used to serve up phishing pages – many of which go after credentials.

Citing Google's transparency report for unsafe websites in a Monday post, security company Sucuri noted how the number of phishing sites detected per week has jumped from about 3,000 in 2008 to more than 26,000 in 2014.

In a Wednesday email correspondence, Tony Perez, CEO of Sucuri, told that the numbers directly correlate with the large growth of website properties.

“In 2008 we had a fraction of the websites that exist today,” Perez said. “The more websites, the more infections; as the number continues to rise, so will the infection rates. A contributing factor to this is the explosion of CMS applications like WordPress, Joomla and so many others.”

On Monday, Daniel Cid, CTO of Sucuri, received a rather generic phishing email asking him to “Click Here” to sign in and view a “Gdoc,” according to the post. After hovering over the link, he noticed it led to a compromised WordPress site with a phishing page hidden inside ‘wp-includes.'

Curiosity prompted him to investigate further; Cid clicked on the link and was taken to a fairly authentic looking, yet fake Google login page, he wrote in the post, explaining that entered credentials would likely be sent back to the attackers.

These types of phishing pages are typically hidden in sub-folders and not linked to from main pages, making the attack hard to detect, Cid wrote. He told in a Wednesday email correspondence that victims will generally land on these pages via phishing emails.

Cid asked a bigger question – why are all these WordPress sites getting compromised in the first place?

The Sucuri team compiled a list of hundreds of compromised WordPress websites used to host fake login pages for eBay, PayPal, FedEx, Halifax, Alibaba and other financial institutions, according to the post. The phishing pages are typically hidden in various locations inside ‘wp-includes' and ‘wp-content.'

An analysis of the WordPress sites revealed that 73 percent had been updated to the latest versions – either 3.9.2 or 4.0 – so that was not the issue, the post indicates.

Further investigation revealed that a high percentage of the websites were running vulnerable plugins, such as Contact Form and Contact Form 7, according to the post, which explains that this opens the door to remote command execution, SQL injection and other attacks.

WordPress sites are compromised more so than other platforms because, with 23 percent market share, it is the biggest target, Perez said.

“The two main vectors afflicting the WordPress platforms can be boiled down to abuse of Access Control – think improper or poor username [and] password combinations – and software vulnerabilities,” Perez said.

Cid said WordPress site operators need to take security more seriously.

“We clean and work on hundreds of compromised sites every day, and we keep seeing the same issues: bad passwords, outdated software, bad access control, no backups, lack of basic security measures [such as] firewalls and things like that,” Cid said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.