Monday, 15 February 2016

Mysterious Spike in Wordpress Hacks Silently Delivers Ransomware to Visitors

ransomeware_hack

WordPress Content Management System – Hacked


A large number of websites which tend to run on the WordPress content management system are getting hacked to deliver crypto ransom-ware together with other malicious software to ignorant end users. Researchers from three different security firms, in the last few days have reported that a huge number of legitimate WordPress sites are hacked, silently redirecting visitors to a sequences of malicious site.

The attack sites tend to host code from Nuclear exploit kit which is available for sale in black market all over the Internet. People who tend to visit the WordPress sites and use out-of-date versions of Adobe Flash Player, Adobe Reader Internet Explorer or Microsoft Silverlight would find that their computers are infected with the Teslacrypt ransomware package which encrypts user files, demanding a heavy ransom for the decryption key required to restore them.

According to Malwarebytes Senior Security Researcher, Jerome Segura who had mentioned in his blog post published recently stated that WordPress sites are considered to be injected with enormous recommendations of rogue code which tends to silently perform redirection to domain appearing to be hosting ads. This could be a distraction and fraud since the ad comes with more code which sends the visitor to the Nuclear Exploit Kit.

Google’s Safe Browsing Mechanism


The compromised WordPress sites observed, had been hacked to include encrypted code towards the end of all legitimate JavaScript files according to the latest blog post published by website security firm Sucuri. It is said that the encrypted content seems to vary from site to site.

To avoid detection from researchers visiting the compromised site, the code makes efforts to infect only first time visitors and to further hide the attack, the code then redirects end users through a series of sites prior to delivering the ultimate malicious payload. Google’s Safe Browsing mechanism, Sucuri which browser maker then to use in helping users to avoid malicious websites had mentioned that Google had blacklisted some of the Internet domains that were utilised in the scam.

However, a post published recently by Heimdal Security listed an altered domain with the probability that the attackers seem to frequently refreshing as the old ones tend to get identified. Moreover, Heimdal Security also cautioned about antivirus programs could do little in protecting end users.

Enhanced Mitigation Experience Toolkit - Microsoft


The exploit code for instance had been detected by only two of 66 leading AV packages, towards the latest part of the campaign, while the payload it delivered has also been limited.The most recent reminder of the attacks are that people could be exposed to powerful malware attacks even while visiting legitimate websites which could be trusted.

 The best defense would be to install security updates as soon as they tend to become available for such drive by attacks. Other systems comprise of running Enhanced Mitigation Experience Toolkit of Microsoft on any of the Window based computers using the 64-bit version, if possible, of Google’s Chrome browser. It is not known how the WordPress sites tend to get infected.

 There could be a possibility that administrators may be failing in locking down the login identifications which may enable the site content to be changed. It could also be likely that the attackers may be exploiting unknown vulnerability in the CMS, which is one of the plugins used, or the operating system they tend to run on. When a system is infected, the website malware tends to install various backdoors on the webserver, a feature which could result in several hacked sites being repeatedly re-infected.

No comments:

Post a comment

Note: only a member of this blog may post a comment.