Watch out! Hackers are exploiting WordPress sites to spread malware
What's the story
Next time, when you click on a link served via email, better look at the website it is redirecting you to - as it may install a ransomware/malware on your PC. Hackers, according to a recent ZDNet report, are hijacking websites to hide and distribute malware and ransomware to unsuspecting users. They have already compromised some 500 sites. Here's everything about the attack.
Attack
Popular CMS systems being exploited to distribute malware
Researchers from IT security company Zscaler have reported that hackers have been exploiting vulnerabilities in websites built on popular content management systems. They have been leveraging issues with the themes, extensions, and plugins used in Joomla and WordPress, two of the most used CMS systems, to hide and distribute malware, and sometimes even phishing pages, through a hidden HTTP directory.
Hidden content
Malicious content even stays hidden from administrators
While assessing the infected websites, the researchers noted that hackers had used different techniques to gain access to the hidden directory, which is commonly used for verifying the ownership of a domain. As this page stays hidden from the administrators of the website, the malicious content stays on the website for long, thereby affecting more number of users, they said.
Impact
500 websites affected with different malicious programs
So far, the researchers have discovered over 500 websites that have been compromised using the CMS vulnerabilities and the hidden directory. They have discovered a range of malicious programs being distributed through the websites, including the critical Shade, aka Troldesh, ransomware. Notably, it affected the most number of infected WordPress and Joomla websites.
Quote
Deepen Desai, Zscaler's VP for security, detailed the attack vector
"Spam emails usually contains link to the HTML redirector page hosted on the compromised site which downloads the malicious zip file. User needs to open the JavaScript file inside the ZIP and this JavaScript file will download the ransomware from compromised site and execute it."
Attacker
Attackers still remain at large
Zscaler indicated that the outdated themes or server-side software might be the reason for the attack on WordPress sites (built using version 4.8.9 to 5.1.1). The security company is in the process of informing the infected websites' owners about the issue. However, so far, there is no word on the exact loophole or on the bad actors behind these attacks.