One of the most common methods cybercriminals use to deliver phishing and malware to unsuspecting users is compromising legitimate websites, such as those hosted on WordPress, to house their own malicious content for free.
The URLs of compromised sites used for phishing attacks reach users through spam emails, allowing security professionals to keep track of their volume. In 2016, according to an Anti-Phishing Working Group (APWG) report, phishing attack campaigns shattered all previous years’ records, which the firm began monitoring in 2004. The report revealed that phishing sites peaked at 158,988 in the month of April 2016, a large number of attacks that keeps growing year over year. Once hijacked, the same site can be used to serve malware.
There are ways to protect users from email-borne attacks, but to keep the internet safer from those who perpetrate them, we must cut the supply chain even earlier. On the vendor side, faster detection can ensure that affected sites are flagged on time to prevent users from reaching them, thus foiling the attacker’s plans. On the website side, administrators should prioritize applying basic security practices to keep their sites safer, and users should remain cautious about opening unsolicited email and accessing links or attachments they receive inside.
Popularity Attracts Both Good and Bad
When it comes to the lucrative platforms, cybercriminals usually opt for those that cover more ground. That is why the Windows operating system is a primary mark for malware, and the Android OS is targeted by over 95 percent of all mobile malware. Following that same logic, the WordPress (WP) platform is one of the most popular content management systems (CMS) on the internet, holding close to 59 percent of the market share. Therefore, it is often targeted by fraudsters.
The platform is free to use, open source, and based on PHP and MySQL. WordPress is installed on a web server and can be used as part of a hosting service or directly on a network host, which makes it the choice of many website builders. The sheer quantity of WordPress-based sites makes them natural targets for spammers and cybercriminals who compromise legitimate websites to freely host their own malicious content. And since so many sites are based on the same code, finding just one vulnerability can mean compromising the lot of them, a practice that black-hat hackers apply to any type of platform.
To maintain the platform’s security in the face of such threats, the WP community has been actively updating the code base to keep both users and websites safe. Since its first release in May 2003, there have been 238 releases, many of which addressed security issues or vulnerabilities.
The most recent security update, v4.7.3, was released on March 6, 2017, adding further fixes and security to the existing distribution. But our data shows that website builders are slow to update, which can increase the site’s exposure to old vulnerabilities.
IBM X-Force used data from its web crawlers to log different websites with an indication of which code version they were using. Our data showed that many of the dated WP versions are still in widespread use.
Figure 1: Relative Number of Websites Hosting Each WP Version as of March 31, 2017 (Source: IBM X-Force)
Minimizing Risk of Compromise
To minimize the number of websites running older versions of the platform, WordPress introduced automatic updates in October 2013 as it released version 3.7. Although users can still control the update configuration in those instances, the WP default is to install all minor core updates automatically.
With automatic updates, one could expect to see more uniformity across the version distribution, but the data shows that the spectrum of version numbers is still wide. This can mean that some admins have disabled the automatic update feature, even though automating updates is a known security best practice.
The reason this happens is usually convenience. When updates take place without direct action from the administrator, unexpected and unsupervised processes may crash the application or affect part of its functionality, resulting in a great deal of work to adapt the application to a new source code or framework version.
Custom plugins and themes also lead admins to turn off automatic updates. Updates could reset the custom code and, as a result, affect the look and feel of the website. In this respect, most admins would put customer experience before automating security.
Let’s take, for example, WordPress v4.7.2, which fixes three vulnerabilities that could be used to take control over a website running that version. X-Force found that more than 5 percent of WordPress sites still run the vulnerable version 4.7 or 4.7.1, and fraudsters indeed take advantage of this weakness to inject their own content into those legitimate but compromised websites.
Spammers Seeking a Free Ride
Let’s look at a few examples to gain a wider sense of what attackers are doing to compromise sites.
In our ongoing analysis of the spam trends, X-Force Research has been observing a long-running spam campaign that takes advantage of vulnerabilities in WordPress sites to host foreign content on the affected systems. The hack is notable because the spammers seem to make only minimal changes to the target systems and enjoy abusing them at no cost.
The Plugin Problem
In general terms, to get themselves a free ride on someone else’s website, attackers compromise the site using one of the vulnerabilities that applies to the WP version it runs.
Then, a small HTML or PHP file is inserted into a subdirectory of the WordPress system. In over 70 percent of the URLs we analyzed, this folder was “wp-content,” but other directories such as “wp-includes” and “wp-admin” were also used.
Often, the malicious file is inserted into one of the WordPress plugin or theme subdirectories. These are notoriously vulnerable because plugins and themes are programmed by third parties. Since WordPress is an open source platform, these can essentially be distributed by both security-aware developers and those without secure coding experience, not to mention malicious actors.
The WP core does evolve, and more secure application program interfaces (APIs) and functions are introduced into it over time. But plugins can sometimes keep using old or deprecated functions, which carry vulnerabilities into the newer versions admins use.
The following chart shows the distribution of WordPress folders in which malicious files were most often inserted. The content folder is where plugins and themes are kept, which is likely why close to 70 percent of the URLs used “wp-content” as the starting point of the attacker’s plan.
Figure 2: Distribution of WordPress Folders Used as Insertion Points for Malcode (Source: IBM X-Force)
Let’s drill down a tad. For the URLs that use “wp-content,” the top three most-used subdirectories under “wp-content” are “plugins,” “themes” and “uploads.”
Figure 3: Top Most-Used Subdirectories Under “wp-content” (Source: IBM X-Force)
X-Force data revealed that nearly 40 percent of the URLs using the WP “plugins” directory reference a PHP or HTML page placed directly into that directory. The remaining 60 percent target an existing plugin subdirectory. The most frequent, with 14 percent, is the “mailit” plugin, although we have observed over 1,000 different WP plugins being targeted by attackers in their various campaigns.
Figure 4: Top WP Plugins Most Often Abused by Attackers (Source: IBM X-Force)
Plugins are indeed vulnerable elements of the WordPress CMS and make for popular insertion points for malcode, and the story is similar with theme directories.
X-Force data showed that over 45 percent of the URLs using that directory reference a PHP page placed directly into the directory. The remaining URLs used existing theme subdirectories. Overall, we observed over 1,000 different WordPress themes being targeted as insertion points by attackers.
The WordPress plugins and themes observed in the campaigns we monitored all appeared to be genuine WordPress extensions available for download. Again, attackers opt to take advantage of existing, reputable resources to infiltrate websites.
Figure 5: Top WordPress Themes Preyed Upon in Malicious Campaigns (Source: IBM X-Force)
Redirecting Legitimate Traffic in Illegitimate Ways
The attackers’ HTML or PHP code usually contains a simple redirect, which links to a marketing campaign. The goal is to drive traffic to the malicious site, whether it’s clickfraud, phishing or a malware-serving site. This method is very popular among spammers who direct traffic to malvertising campaigns.
After they gain illicit access to a compromised website, attackers attempt to send mass spam emails to unwary users containing the malicious URL. For example, the URL hxxp://www.[redacted].info/wp-content/themes/tThemeName/library/functions/cc5a4b4df4.html was inserted into the sample email shown below:
Figure 6: Spam Email in Which a Malicious URL Is Obfuscated by a Simple Hyperlink (Source: IBM X-Force)
Data on the compromised domain shows that it was created in 2015 — not a newly created site, but an existing one that’s been live for two years. Legitimate sites are attractive because they have good reputations, no malicious activity flags and will not set off any alarms when sent in email. Users who click through will be immediately redirected to a completely different and malicious site.
This modus operandi has a number of advantages for the spammers. By using the WordPress page as a redirecting stage instead of a direct hosting page, they reduce the chances of being detected by the page’s administrator.
Another popular method among cybercriminals is hijacking and abusing legitimate domains for their purposes. Similarly, these fraudsters appear to prefer the long-standing domains that already have a reputation and have been online for a while.
Typical spammer behavior is to register a new domain and then use it as quickly as possible in a spam campaign to bypass spam filters that rely on domain reputation. We often observe spam campaigns where the domains used are only hours or sometimes even minutes old. This is where the domain’s age can play a central role in judging its legitimacy factor; the longer a compromised domain has existed, the more likely it is to have been a legitimate one originally.
Drawing on data from our spam traps, we could see that almost 95 percent of WordPress-based domains we observed in spam emails were most likely legitimate sites, older than 90 days. Ninety percent of the domains are older than six months, and over 78 percent are more than 1 year old. This is a strong indication that established sites are being compromised and then used in spam campaigns.
Although we used WordPress as an example for its prevalence overall, this is not the only platform being targeted by cybercriminals.
Figure 7: Percentage of Domains by Age in Years (Source: IBM X-Force)
In further analysis of campaigns that abused WordPress sites, we discovered that in some cases even relatively up-to-date sites were compromised. We found that almost 68 percent of compromised hosts were running a version of WordPress less than six months (about three versions) old, and over 40 percent were running a version less than 30 days (at most one version) old.
Figure 8: WordPress Installation Age at Time of Infection (Source: IBM X-Force)
Figure 9: WordPress Installation Age at Time of Infection (Source: IBM X-Force)
The fact that a high percentage of WordPress installations are up to date and yet still got compromised by spammers could indicate that spammers take advantage of a WordPress vulnerability soon after it becomes known, reducing the window of time during which a system admin can install the latest WordPress patches. Worse still, cybercriminals could be exploiting zero-day vulnerabilities, for which no security fixes are available. Since WordPress is so widely used, a single vulnerability could lead to many websites being compromised.
Figure 10: WordPress v4.7.2 Ranked Most Frequently Compromised in Spam Campaigns (Source: IBM X-Force)
Relying on Data to Mitigate Risk
The data collected by X-Force correlates well with the spam and malicious page trends we see in the wild. Stopping this rampant phenomenon is not an overnight feat, but keeping sites safer — or cleaning them if affected by malcode — is a relatively easy task.
Attackers typically leave a very small footprint on the WordPress site, often a mere HTML or PHP document hidden in one of the subdirectories. For this reason, a system admin may not even be aware that the system has been compromised. If the document remains on the system, the same host could be leveraged again in future spam campaigns.
To stop repeated abuse by spammers, it is important for the WP system admin to not only install the latest patches, but also to actively scan the WordPress installation to weed out any unwanted content. This requires proactive monitoring of the WordPress deployment and notifications on changed files and content. This process can help analysts identify impostor files and allow the site to get back to managing only its legitimate activity.
To keep websites safer and more immune to attacks, WP system admins can improve the integrity of the system by installing new plugins and themes only from trusted sources such as the WordPress plugin repository and by avoiding free versions of commercial plugins that may have been tampered with.
An effective defense against cybercriminals seeking to compromise WordPress websites starts with thorough patching and updating processes. Admins that make the effort to update on time enjoy better security and fewer incidents in the long run. It’s also critical to keep up to date with vulnerability advisories and threat intelligence to know when specific versions are being abused by attackers.
Join IBM X-Force Exchange to keep updated about the threats most relevant to you.