Posted on May 15, 2022 at 12:04 PM
Researchers at GoDaddy’s security firm Sucuri have revealed that thousands of websites were hacked over the past few months due to known vulnerabilities.
According to the researchers, the threat actors behind the campaign injected malicious scripts into WordPress themes and plugins, taking advantage of known security flaws at the time.
The hacking activities are linked to plugins and themes built by thousands of third-party developers that use the open-source WordPress software instead of WordPress.com. WordPress.com’s parent company Automatic is the distributor of the software, but it doesn’t own it.
Thousands of Sites Could Be Affected
Sucuri noted that there are 322 WordPress sites with themes and plugins that were affected by the hack. However, the real number of other websites impacted by the exploit could be much higher. Last month, threat actors used the method to infiltrate 6,000 sites, according to Krasimir Kon, a malware analyst with Sucuri. This means that there may be more sites impacted since the campaign started months ago.
“This page tricks unsuspecting users into subscribing to push notifications from the malicious site,” Konov added.
When the users follow the directive by clicking on the CAPTCHA, they’ll automatically be entered into an opt-in list for several unwanted ads. The ads will look like they are coming from the operating system and not from the browser so that they will look authentic from a genuine company.
The Hackers Can Run Tech-Support Scams
Konov also noted that the opt-in maneuvers for push notifications are one of the ways threat actors can run tech support scams. In most cases, the affected users keep receiving annoying pop-up windows to inform them that their computer is compromised. A number is usually provided for the user to call and receive instructions to fix the problem. This is where they get gullible victims. Once they make the contact, the users may be exploited further.
The Federal Trade Commission provided some useful points to help users stay off these types of scams. The commission noted that users should consider such messages as coming from scammers and hackers. It noted that a genuine security firm will not use such an approach to contact a user with an infected system. Real security messages do not ask users to call a certain number to get their issues fixed, the commission stated.
WordPress.com stated that themes and plugins are not maintained or written within the core WordPress software. Based on Sucuri’s report, any theme or plugin hosted on the WordPress.org website is usually scanned for flaws.
The Vulnerability Is From Third-Party Tools
The report also noted that once security issues are discovered, authors of themes and plugins are notified immediately to prevent any more impact. If no response was received from the author or if a theme is not patched on time, it is pulled out of WordPress or completely closed from the portal. WordPress.org also helps by offering tools and resources on security for both plugin developers and theme developers.
According to a spokesperson for the company, WordPress users are informed and encouraged to update important software, themes, and plugins, especially for self-hosted sites.
WordPress also offers different security services to sites hosted on the WordPress.com platform. These security advisory services enable the company to address vulnerabilities like those referenced in the report. But despite the efforts by the company to keep the platform safe, it still suffers from some security lapses in some cases.
The reason is that most of the plugins and themes hosted on the platform are managed independently by third parties. As a result, exploits on WordPress are usually from vulnerable themes or plugins from these third parties.