Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label WordPress. Show all posts
WordPress
Hacking Internet Plugins Technology Website WordPress

Hackers Exploit WordPress Sites to Attack Mac and Windows Users


According to security experts, threat actors are abusing out-of-date versions of WordPress and plug-ins to modify thousands of sites to trap visitors into downloading and installing malware.

In a conversation with cybersecurity news portal TechCrunch, Simon Wijckmans, founder and CEO of the web security company c/side, said the hacking campaign is still “very much live”.

Spray and pray campaign

The hackers aim to distribute malware to loot passwords and sensitive data from Mac and Windows users. According to c/side, a few hacked websites rank among the most popular ones on the internet. Reporting on the company’s findings, Himanshu Anand believes it is a “widespread and very commercialized attack” and told TechCrunch the campaign is a “spray and pray” cyber attack targeting website visitors instead of a specific group or a person.

After the hacked WordPress sites load in a user’s browser, the content immediately turns to show a false Chrome browser update page, asking the website visitor (user) to download and install an update to access the website, researchers believe. 

Users tricked via fake sites

When a visitor agrees to the update, the compromised website will ask the user to download a harmful malware file disguised as the update, depending on whether the visitor is a Mac or Windows user. Researchers have informed Automattic (the company) that makes and distributes Wordpress.com about the attack campaign and sent a list of harmful domains. 

According to TechCrunch, Megan Fox, spokesperson for Automattic, did not comment at the time of press. Later, Automattic clarified that the security of third-party plugins is the responsibility of WordPress developers.

“There are specific guidelines that plugin authors must consult and adhere to ensure the overall quality of their plugins and the safety of their users,” Ms Fox told TechCrunch. “Authors have access to a Plugin Handbook which covers numerous security topics, including best practices and managing plugin security,” she added. 

C/side has traced over 10,000 sites that may have been a target of this hacking campaign. The company found malicious scripts on various domains by crawling the internet, using a reverse DNS lookup to find domains and sites linked with few IP addresses which exposed a wider number of domains hosting malicious scripts. TechCrunch has not confirmed claims of C/side’s data, but it did find a WordPress site showing malicious content earlier this week.

Read more »
WordPress
CMS Cyber incidents Cyber Security Cyberattacks CyberCrime CyberThreat database Magento WordPress

Sophisticated Credit Card Skimmer Malware Targets WordPress Checkout Pages

 


Recent cybersecurity reports have highlighted a new, highly sophisticated credit card skimmer malware targeting WordPress checkout pages. This stealthy malware embeds malicious JavaScript into database records, leveraging database injection techniques to effectively steal sensitive payment information. Its advanced design poses significant risks to e-commerce platforms and their users. 
  
Widespread Impact on E-Commerce Platforms 
 
Multiple content management systems (CMS), including WordPress, Magento, and OpenCart, have been targeted by the Caesar Cipher Skimmer. This web skimmer enables the theft of payment data, threatening the financial security of businesses and consumers alike. 

Web skimmers are malicious scripts injected into e-commerce websites to collect financial and payment transaction details. According to cybersecurity firm Sucuri, a recent attack involved modifying the "form-checkout.php" file in the WooCommerce plugin to steal credit card information.
  • Consequences: Financial losses, reputational damage, and legal expenses.
  • Detection Difficulty: Often remains unnoticed until after the damage has occurred.

Signs of a compromised WooCommerce site include customer reports of stolen credit card details. This typically suggests malware capable of skimming customer credentials, warranting immediate investigation and remediation. 

On May 11, 2024, Sucuri identified a campaign misusing the "Dessky Snippets" WordPress plugin, which allows users to add custom PHP code. With over 200 active installations, the plugin was exploited by threat actors to inject malicious PHP code for credit card theft.
  • Attack Vectors: Exploiting plugin vulnerabilities and weak admin credentials.
  • Further Exploitation: Installing additional plugins to escalate malicious activities.
Database-Level Malware Infiltration 

Using the Dessky Snippets plugin, attackers deployed server-side PHP malware that embedded obfuscated JavaScript in the WordPress database.
  • Location: Stored in the wp_options table under widget_block.
  • Activation Trigger: Executes on pages containing "checkout" in the URL, avoiding pages with "cart."
Stealth and Strategic Execution The malware activates only during the final transaction stage, intercepting sensitive financial data without disrupting the user experience.
  • Integration: Utilizes existing payment fields to avoid detection.
  • Stealth Tactics: Remains hidden from standard file-scanning tools.

To conceal its activities, the malware encrypts stolen data using Base64 encoding and AES-CBC encryption. The encrypted data is discreetly sent to attacker-controlled servers via the navigator.sendBeacon function, ensuring stealthy exfiltration without alerting users or administrators. Severe Security Implications This malware poses a critical threat by covertly harvesting sensitive payment information, including credit card numbers and CVV codes.
  • Potential Risks: Fraudulent transactions, identity theft, and illegal data sales.
  • Impact on Businesses: Financial losses, legal liabilities, reputational damage, and erosion of customer trust.
Mitigation and Security Best Practices 
 
To counter such threats, e-commerce platforms must implement robust cybersecurity measures:
  • Regular monitoring of website activity for unusual behavior.
  • Timely updates of all plugins and platform software.
  • Proactive vulnerability management and penetration testing.
  • Strong admin credentials and limited plugin installations.
Staying vigilant and proactive in cybersecurity practices is essential to safeguarding sensitive customer data and maintaining the integrity of e-commerce operations.
Read more »
WordPress
fake websites Financial Fraud phishing PhishWP WordPress

Hackers Use PhishWP to Steal Payment Info on WordPress Sites

 



Cybersecurity researchers have uncovered a malicious WordPress plugin called PhishWP that transforms legitimate websites into tools for phishing scams. This plugin allows attackers to set up fake payment pages mimicking trusted services like Stripe, tricking users into divulging sensitive details, including credit card numbers, expiration dates, billing information, and even one-time passwords (OTPs) used for secure transactions. 


How PhishWP Works

PhishWP works by setting up fake WordPress sites or hacking into legitimate ones. It then generates phishing checkout pages that closely mimic real payment interfaces. Victims receive this interface with false site addresses, where they enter sensitive financial information, including security codes and OTPs.

The stolen data is sent to attackers in real time because the plugin integrates with Telegram. Therefore, attackers can use or sell the information almost immediately. The browser details captured by PhishWP include IP addresses and screen resolutions, which attackers can use for future fraudulent activities.


Key Features 

What has made the phishing plugin more advanced is that it ensures operations are seamless and almost undetectable. 

Realistic Payment Interfaces: The plugin mimics the appearance of trusted services like Stripe.  

3D Secure Code Theft: It fetches the OTP sent to everyone in the verification processes to successfully process fraudulent transactions.

Real-time Data Transfer: Telegram is used to send stolen information to attackers in real time.  

Customizable and Worldwide: Multi-language support and obfuscation features enable phishing attacks across the globe.  

Fake Confirmations: Victims receive fake emails that confirm purchases, which delays the suspicion.  


Step-by-Step Analysis  

1. Setup: Attackers either hack a legitimate WordPress site or create a fake one.

2. Deceptive Checkout: PhishWP personalizes payment pages to resemble actual processors. 

3. Data Theft: Victims unknowingly provide sensitive information, including OTPs. 

4. Exploitation: The stolen data is immediately sent to attackers, who use it for unauthorized transactions or sell it on dark web markets.


How to Protect Yourself

To avoid falling victim to threats like PhishWP:  

1. Verify website authenticity before entering payment details.  

2.  Look for secure connections (HTTPS) and valid security certificates.  

3. Use advanced tools like SlashNext’s Browser Phishing Protection, which blocks malicious URLs and identifies phishing attempts in real time.

Protecting your personal and financial data begins with understanding how cyberattacks work, don’t let hackers take the upper hand.



Read more »
WordPress
ClearFake infostealers Plugins Vulnerabilities and Exploits WordPress

Infostealer-Injecting Plugins infect Thousands of WordPress Sites

 

Hackers are using WordPress sites to install malicious plugins that propagate malware that steals information by displaying fake updates and errors.

Infostealing malware has become a global nuisance for security defenders in recent years, as compromised credentials are used to infiltrate networks and steal data. 

Since 2023, a malicious campaign known as ClearFake has been used to display bogus web browser update banners on compromised sites that spread data-stealing malware. 

A new campaign named ClickFix was launched in 2024; it is quite similar to ClearFake, but it poses as software error warnings with fixes included. These "fixes" are actually PowerShell scripts that, when executed, will download and install malware that steals data. 

This year has seen a rise in ClickFix attacks, in which threat actors hack websites to show banners displaying fake issues for Facebook, Google Meet conferences, Google Chrome, and even captcha pages. 

Malicious WordPress plugins

Last week, GoDaddy disclosed that the ClearFake/ClickFix threat actors had infiltrated over 6,000 WordPress sites, installing malicious plugins that displayed the fake alerts associated with these operations. 

"The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," notes GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users.” 

Sucuri, a website security firm, has also identified a fraudulent plugin called "Universal Popup Plugin" as part of this operation. When installed, the malicious plugin will hook into various WordPress activities, depending on the type, and inject a malicious JavaScript script into the site's HTML.

Sinegubko's analysis of web server access logs indicates that the threat actors are using stolen admin credentials to enter into the WordPress site and install the plugin in an automated manner. Threat actors log in with a single POST HTTP request rather than first accessing the site's login page. This shows that the process is automated after the credentials have been received. 

Although it's unknown how the threat actors are getting the credentials, the researcher points out that it might be through information-stealing malware, phishing, and brute force attempts in the past.
Read more »
WordPress
DarkCracks malware Obfuscation Technique phishing WordPress

DarkCracks Malware Exploits Vulnerabilities in GLPI and WordPress Systems


 

A malware framework named DarkCracks has been identified by cybersecurity experts from QiAnXin. This newly discovered threat takes advantage of weaknesses in GLPI, an IT asset management system, and WordPress websites. DarkCracks has raised alarm due to its ability to remain hidden and undetected by most antivirus programs, posing a risk to users and businesses relying on these platforms.

DarkCracks operates as a highly advanced malware framework, designed to exploit vulnerable systems over a prolonged period. Instead of merely infecting devices, it uses them as Launchers to deploy additional malicious components. Attackers gain entry by targeting compromised public websites, such as school networks or transportation systems, turning them into platforms to spread malware to other unsuspecting users.

Once attackers infiltrate a server, they initiate a multi-phase attack by uploading files that execute further malicious tasks. These components are responsible for gathering sensitive data, maintaining long-term access, and keeping control over the infected systems under the radar of most cybersecurity defences. The malware is designed for long-term exploitation, adapting to changes and remaining operational even when parts of it are detected and removed by security measures.

What makes DarkCracks particularly dangerous is its ability to evade detection for extended periods. Some of its elements have managed to stay hidden for over a year, avoiding detection by even the most sophisticated cybersecurity tools. Despite QiAnXin’s analysis, some core elements, including the Launcher, remain unidentified, making it extremely challenging for IT teams to fully neutralise the threat.

Adding to the complexity, DarkCracks employs a backup system that uses a three-layer URL verification technique. This ensures the malware can continue operating even if its primary servers are taken down, providing resilience and making it harder for cybersecurity teams to disrupt its activities.

Possible Phishing Attacks on Korean Users

In a unique finding, researchers uncovered a file titled “Kim Young-mi’s Resume” in Korean, suggesting that the attackers may be using spear-phishing techniques to target users in Korea. This file, discovered on one of the compromised servers, indicates that attackers could be tailoring their phishing efforts to specific regions, a method that could increase their chances of success in gaining unauthorised access.

The DarkCracks campaign came to light in June 2024 when an unusual amount of network traffic was observed from an IP linked to a compromised GLPI server. The investigation revealed that cybercriminals had already uploaded malicious files onto compromised servers, using techniques like encryption and obfuscation to mask their activities.

How to Defend Against DarkCracks

To protect against this emerging threat, cybersecurity experts are urging organisations, particularly those using GLPI or WordPress, to take immediate precautions. Key recommendations include regularly updating all software and systems to ensure that known vulnerabilities are patched. This can help prevent the malware from exploiting security holes.

In addition, IT teams are advised to monitor network traffic for unusual activity, including unexpected connections to external servers. Frequent security audits can also help identify unauthorised file uploads or suspicious activities within the system. Advanced detection tools capable of recognizing the layered obfuscation techniques used by DarkCracks are also essential in preventing and identifying these stealthy attacks.

By implementing these defensive strategies, businesses can reduce their risk of falling victim to the DarkCracks malware and protect their systems from long-term exploitation.


Read more »
WordPress
Critical security flaw Cyber Attacks Data Theft WordPress

Critical Security Flaw Discovered in LiteSpeed Cache Plugin for WordPress

 

A major security vulnerability has been uncovered in the LiteSpeed Cache plugin, used on over 5 million WordPress websites worldwide. The flaw, identified as CVE-2024-44000, was discovered by Rafie Muhammad, a security researcher at Patchstack. Rated with a CVSS score of 9.8, the vulnerability poses a severe threat to WordPress users by allowing unauthorized individuals to take control of logged-in accounts, including those with administrative access. 

LiteSpeed Cache is primarily known for its role in improving website performance by caching and optimizing site content. However, this recent flaw creates an alarming situation where attackers can hijack user sessions and potentially gain full control over a website, including administrative privileges. Once attackers obtain admin-level access, they can upload malicious plugins, alter site functionality, or even take down the website entirely, causing long-term damage.

The vulnerability is linked to the plugin’s debug log feature, which inadvertently leaks sensitive HTTP response headers, including "Set-Cookie" headers. If this feature is enabled or was previously active, attackers can exploit the flaw by accessing the /wp-content/debug.log file, hijacking user sessions. 

The issue arises when HTTP response headers, including session cookies, are written into the debug log file. If this file is not deleted after the debug feature is disabled, it remains vulnerable to exploitation. Attackers can access the file and use the data to gain control of user sessions. 

For the exploit to succeed, two conditions must be met: the debug log feature must be active or previously enabled, and attackers must be able to access the debug log file. In response, LiteSpeed has issued a patch in version 6.5.0.1. They also recommend users implement stricter .htaccess rules to block access to log files and delete any old debug logs that could contain sensitive information.
Read more »
WordPress
Cache Plugin Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat LitesSpeed Patchstack Vulnerabilities WordPress

Critical LiteSpeed Cache Plugin Flaw CVE-2024-28000 Sparks a Surge in Cyberattacks

 


According to cyber security researchers, there is a critical security flaw in the LiteSpeed Cache plugin for WordPress that users can exploit without authentication to gain administrative privileges on the site. It is an all-in-one site acceleration plugin that features an exclusive server-level cache along with a suite of optimization features designed to make the websites more efficient with LiteSpeed Cache for WordPress. As a WordPress Multisite plugin, LowSide supports a wide range of plugins, including WooCommerce, bbPress, and Yoast SEO, for the best possible experience. 

There is no compatibility issue with ClassicPress when using LiteSpeed Cache for WordPress. In LiteSpeed Cache, which comes bundled with WordPress, there is a critical vulnerability that can allow attackers to take full control of millions of sites once a rogue admin account is created. This is an open-source and almost universally popular WordPress site acceleration plugin with over 5 million active installations, and it also supports WooCommerce, bbPress, ClassicPress, and Yoast SEO. It is available as a free download. 

In LiteSpeed Cache versions 6.3.0.1 and earlier, the plugin's user simulation feature has an unauthenticated privilege escalation vulnerability (CVE-2024-28000). As a result of this vulnerability, the highest bounty has been awarded in the history of bug bounty hunting for WordPress. This researcher has been rewarded USD 14,400 in cash through the Patchstack Zero Day program as part of this award. It would be great if anyone else interested in joining the community as well would be able to benefit from the program. 

This vulnerability has been automatically protected for all Patchstack users who have enabled protection, so they are no longer at risk. For only $5 per site per month, Patchstack offers a free Community account, where users can scan for vulnerabilities and apply protection for only $5 / site per month by creating a PatchStack account. It is the plugin's user simulation feature that is vulnerable to the vulnerability, as it uses a weak security hash as part of its security process. 

It must be said that the hash value is generated by using an insecure random number generator and the value is stored without being salted or related to a particular request made by the user.  The Patchstack security research tool warns that the hash is relatively easy to guess due to the limited number of possible values, which allows attackers to iterate through all possible hashes to discover the appropriate one and to simulate a user who is an administrator. 

This vulnerability affects all versions of the LiteSpeed Cache plugin for WordPress, from version 6.3.0.1 onwards. In addition, the plugin is susceptible to privilege escalation attacks. Certainly! Here is the rewritten information in a formal, expanded, and third-person tone: --- The security vulnerability identified as CVE-2024-28000 in the LiteSpeed Cache plugin has been linked to a critical issue concerning the improper restriction of role simulation functionality. This flaw allows a user with access to a valid hash—discoverable through debug logs or susceptible to brute-force attacks—to alter their current user ID to that of an administrator. 

This, in turn, enables unauthenticated attackers to impersonate an administrator and utilize the `/wp-json/wp/v2/users` REST API endpoint to create a new user account with administrative privileges. The vulnerability is present in all versions of the LiteSpeed Cache plugin up to and including version 6.3.0.1. The vulnerability was addressed in LiteSpeed Cache version 6.4, released on August 13, 2024. Website administrators utilizing the plugin are strongly advised to update to this latest version to prevent exploitation. 

The urgency of this update is underscored by a report from Wordfence, a leading WordPress security provider, which disclosed that over 30,000 attacks targeting CVE-2024-28000 were blocked within a single day. This surge in attacks illustrates the swift adoption of this exploit by cybercriminals, who are leveraging the vulnerability to compromise WordPress installations. Currently, the attacks are predominantly directed at non-Windows-based WordPress sites. This is because the vulnerability exploits a PHP method called `sys_getloadavg()`, which is not available on Windows systems. 

Consequently, while Windows-based WordPress installations are not vulnerable to this specific exploit, other systems remain at significant risk. The flaw was reported to Patchstack's bug bounty program by security researcher John Blackbourn on August 1, 2024. The LiteSpeed development team promptly created and released a patch with LiteSpeed Cache version 6.4 on August 13. Successful exploitation of this vulnerability can grant unauthenticated visitors administrator-level access, potentially allowing them to fully control compromised websites. 

This control includes installing malicious plugins, altering critical settings, redirecting traffic to harmful sites, distributing malware to visitors, or stealing user data. Additionally, in June 2024, the Wordfence Threat Intelligence team reported that a threat actor had compromised at least five plugins on WordPress.org, adding malicious PHP scripts to enable the creation of administrator accounts on affected websites. 

To protect against this vulnerability, Wordfence Premium, Wordfence Care, and Wordfence Response users were provided with a firewall rule effective from August 20, 2024. Users of the free version of Wordfence will receive similar protection starting on September 19, 2024.
Read more »
Wordpress Security
data security email spam Plugins Vulnerabilities and Exploits Website Hacking WordPad Vulnerability WordPress Wordpress Security

WordPress Vulnerabilities, Exploiting LiteSpeed Cache and Email Subscribers Plugins

 

In recent cybersecurity developments, hackers have been leveraging a critical vulnerability within the LiteSpeed Cache plugin for WordPress to exploit websites running outdated versions. LiteSpeed Cache, a popular caching plugin utilized by over five million WordPress sites, is designed to enhance page load times, improve user experience, and boost search engine rankings. 

However, security experts at Automattic's security team, WPScan, have observed a significant increase in malicious activities targeting WordPress sites with versions of the LiteSpeed Cache plugin older than 5.7.0.1. The vulnerability in question, tracked as CVE-2023-40000, is a high-severity unauthenticated cross-site scripting flaw. 

Attackers are taking advantage of this vulnerability to inject malicious JavaScript code into critical WordPress files or the database of vulnerable websites. By doing so, they are able to create administrator-level user accounts with specific names like 'wpsupp-user' or 'wp-configuser.' Additionally, the presence of certain strings, such as "eval(atob(Strings.fromCharCode," within the database, serves as an indicator of an ongoing compromise. 

Despite efforts by many LiteSpeed Cache users to update to newer, non-vulnerable versions, an alarming number of sites—up to 1,835,000—still operate on outdated releases, leaving them susceptible to exploitation. In a separate incident, hackers have turned their attention to another WordPress plugin called "Email Subscribers," exploiting a critical SQL injection vulnerability, CVE-2024-2876. 

This vulnerability, affecting plugin versions 5.7.14 and older, allows attackers to execute unauthorized queries on databases, thereby creating new administrator accounts on vulnerable WordPress sites. Although "Email Subscribers" boasts a significantly lower number of active installations compared to LiteSpeed Cache, with approximately 90,000, the observed attacks highlight the opportunistic nature of cybercriminals. 

To address these threats effectively, WordPress site administrators are urged to promptly update plugins to the latest versions, remove unnecessary components, and remain vigilant for signs of suspicious activity, such as the sudden creation of new admin accounts. In the event of a confirmed breach, comprehensive cleanup measures are essential, including the deletion of rogue accounts, password resets for all existing accounts, and the restoration of clean backups for both the database and site files. By staying proactive and implementing robust security practices, website owners can minimize the risk of falling victim to such malicious activities and safeguard their online assets effectively.
Read more »
Subscribe to: Posts (Atom)