Posted on April 11, 2019 at 6:07 PM
Users find themselves directed to malicious sites when they visit Mailgun WordPress site.
Maigun is a popular site which offers Email automation & Email delivery service. Unfortunately, online miscreants breached the site yesterday the 10th of April 2019. We can recall that many WordPress sites have fallen under the attack of these hackers. Right now, there is an ongoing attack on all the sites using the WordPress platform.
On how the hackers are penetrating the sites, researchers have discovered that they are exploiting a WordPress vulnerability. There is a weak area in one WordPress plugin called Yuzo Related Posts. This plugin contains cross-site scripting or XSS as we call it. The hackers are accessing the websites through this weak spot. What they do is to inject their malicious code through this plugin. Once the code is there, it redirects visitors who come to the infected site to other malicious sites.
Well, if they were redirecting to reasonable websites, no one will complain. Unfortunately, the hacker’s code sends Mailgun visitors to sites offering different scam products such as tech support. Also, some of the sites which they show to visitors are showing spammy ads and peddling software updates laced with malware.
Updates About The Attacks
The Email Automation site Mailgun is not the first victim of the ongoing malicious attacks. Many owners of WordPress sites have reported the same incident and pointed out that the hackers also exploited the plugin. At least that’s what they shared on the Yuzo Related Posts support forum which is available on WordPress.org (1,2,3). Also, we have come across the same reports on other discussion forums about web developments. One of the forums where the users discuss the incident is on the StackOverflow forum.
Meanwhile, we got another information that the attack yesterday may not have worked for the hackers. A web developer discovered the plugin vulnerability but failed to disclose it to the author of the plugin on time. Instead, the developer went online to publish a “proof-of-concept code”. The web developer didn’t deem it fit to inform the author. We may not know his reasons. However, as soon as he shared the proof-of-concept, the WordPress team pulled down the plugin from their repository the same day. For now, no user can download the plugin until the developers provide a patch.
Unfortunately, removing the plugin from the plugins repository didn’t make it disappear from other websites containing it. Therefore, all the WordPress website worldwide are still vulnerable to hackers attack. Before the team removed the plugin, almost 60,000 websites have downloaded it. This figure is according to the stats on WordPress official website.
The group targeting WordPress Sites
Defiant is the company in charge of WordPress firewall plugin. According to them, there is a hacker group behind these attacks on all WordPress sites. The group had previously exploited two plugins called “in the Easy WP SMTP & Social Warfare plugins” some weeks ago. A Defiant researcher stated that the hackers used the same Internet Protocol address to carry out these hacks.
Meanwhile, researchers working a Sucuri has also connected the relationship between the two different attacks. However, Mailgun has not given any statement about the attacks as of yesterday. The first thing they did was to pull down the plugin and continued their operations. It took them only two hours after detecting the problem to remove it from their repository.
Meanwhile, in their status report, WordPress assured the customers that all their products are intact. According to the report, customers’ data, Mailgun dashboard and APIs on their platform are still safe.