This entry was posted in Ask Wordfence, WordPress Security on March 14, 2018 by Dan Moen 0 Replies
This question came in from Keith, a Premium Wordfence customer. We’ve dealt with this question a few times in different ways on the blog, but pulling it all together sounds like a great post. Let’s dive in!
At a high level, an attacker views a vulnerable website as a juicy collection of resources that they can steal or exploit:
- It’s backed by a server that they can use to run their own programs
- It’s connected to the internet and likely has a squeaky-clean reputation
- It might include interesting user data
- It probably has traffic coming to it
- It is likely important to you
Most of the time, they use those resources to make money. And they continue to find new creative ways to make a buck.
Using Your Server to Run Their Own Programs
If you’re running a WordPress site, your web server is most likely a fully functioning Linux server with MySQL and PHP installed. Depending on your hosting situation, it may also have a meaningful amount of processing power.
In December, we wrote about a massive cryptomining campaign targeting WordPress sites. In the most intense period of attacks we had ever recorded, an attacker was compromising sites and using them to both attack other WordPress sites and to mine for Monero, a cryptocurrency that can be mined efficiently using web server hardware.
I encourage you to read the article if you haven’t already. We were able to identify how the the attackers were controlling the compromised servers and discovered evidence that they had earned almost $100k via their mining efforts.
Leveraging Your Reputation
In November, we wrote about the fact that your site reputation makes you a target. I encourage you to read it along with the post that inspired it, by Troy Hunt.
Hosting Phishing Pages
A phishing page is one that attempts to fool you into sharing sensitive information, like your password, credit card number or social security number. An example of a phishing page is a fake login page that gives you the impression you are on, for example, the GMail login screen. You enter your credentials and the attacker logs them and can now sign into your real GMail account and steal data.
In January 2017, we wrote about a new and highly effective GMail phishing technique that was having a wide impact.
Your site has a squeaky clean reputation. When attackers host phishing pages on your site, services like Google Safe Browsing that would normally warn users about suspicious websites won’t know to alert visitors to the danger of the phishing page hosted on your site.
Hosting Spam Pages and Injecting Spammy Links
Your site is legitimate, so search engines like Google assume that your content, including outbound links, is also legitimate. Attackers love to plant SEO spam in the form of pages and links on your site, boosting SEO rankings for their malicious businesses.
A great example of this is the supply chain attack we discovered back in September that spanned 4.5 years and impacted 9 WordPress plugins. In our blog post about this SEO spam campaign, we exposed how someone purchased the plugins and then used them to embed spammy links in the sites that were running them. The attacker used these links to improve search engine rankings for websites offering payday loans, escort services and other shady things.
It’s important to remember that while your site alone isn’t capable of boosting an attacker’s SEO results, thousands of compromised sites can really move the needle.
Sending Spam Email
Getting spam email past spam filters is a difficult endeavor. Email clients use myriad techniques to identify and block spam. Almost all spam filters rely on IP blacklists to block everything from IPs known to send spam.
That’s where your web server comes in. Not only does your server have all of the hardware and software spammers need, but the reputation of your IP is likely perfect. By sending spam from your web server, cybercriminals have a much better chance of getting their spam delivered.
Eventually, spam filters pick up on what is happening and blacklist your IP as well, so the attacker simply moves on to the next victim, leaving the reputation of your IP address in ruins.
Attacking Other Sites
Sometimes attackers will compromised WordPress sites to attack additional sites. We saw hackers use this approach in the cryptocurrency mining attack we discussed earlier in this article, where an attacker was controlling a botnet made up of thousands of other people’s WordPress sites that were simultaneously mining for cryptocurrency and attacking other websites. Your website is an attractive attack platform because your IP address is likely not on any blacklists.
Hosting Malicious Content
Hackers will sometimes use your web server to host malicious files that they can call from other servers. They are essentially using your hosting account as a file server.
Leveraging Your Site Traffic
One very common thing attackers do with hacked websites is add redirects to the content. Visitors to your site don’t even have to click on a hyperlink to visit the spam site: the redirect will just take them there directly. In some cases, attackers will go so far as to redirect all of your traffic to malicious sites. But in most cases, they employ measures to avoid detection, only redirecting traffic to specific URLs or for specific browsers or device types.
In some cases, the attacker just wants to get their message out. By taking over your website, they are able reach your website visitors, at least until you figure out what they’ve done. Attacks of this nature often represent a political movement or are just looking for “street cred” in the hacker community.
In February last year, we saw a huge WordPress defacement campaign that exploited a WordPress REST API vulnerability. It grew at incredible speed over a period of days, and after just 24 hours we had tracked 19 separate attack campaigns significantly impacting WordPress sites.
One especially nefarious way attackers monetize hacked websites is to use them to spread malware. They install website malware that installs malware your your visitors’ computers or devices when they visit your site.
As a site owner, this is especially scary, as not only do you risk having your site flagged by search engines and other blacklists, but your visitors are not going to be happy with you. Your reputation, both online and with your site visitors, could be damaged for a long time. In addition, a hacked website can have a long-term negative impact on your search engine rankings.
Even if you don’t accept credit cards on your site, an attacker may still find valuable data to steal. For example, if you capture other data via forms on your site, there might be something there worth taking. Additionally, attackers can use stolen username and password pairs to try to log in to other sites.
We’ve learned over the years that websites almost always represent something that matters to people, even if it’s not a business site. Unfortunately, cybercriminals have, too. Last year we wrote about a ransomware attack campaign targeting WordPress sites. While we haven’t seen much of this lately, we believe the threat of WordPress ransomware will continue and will increase in future.
Regardless of the size of your website audience or the cost of your hosting plan, criminals will happily find a way to monetize it if they can break in. Luckily, you don’t need to be a security expert to keep your site safe. With a little knowledge and Wordfence Premium, you should be able to stay a step ahead of attackers.