Posted on September 5, 2019 at 9:59 AM
If you enter your regular text processing online platform, the last thing you may think is that it may make you vulnerable to a hacking attack. Sadly, cybercriminals are now targeting web pages that use one of the most popular web hosting spaces, WordPress.
The modus operandi of the latest attack have these hackers infecting some common plugins. Wordfence researchers observed that the WordPress plugin hack can affect as many as nine different plugins.
The fact that so many plugins can be vulnerable to attacks has led cybercriminals to play with the system and create false administrator accounts on specific web pages while implementing these plugins.
Most Attacks Are Coming From a Single IP Address
A Wordfence research specialist explained via a blog post that the vast majority of the attacks related to the WordPress plugins have come from a single IP address, and it is linked with a Rackspace server that hosts some allegedly infected or compromised websites.
The security company also stated that it tried to reach out to Rackspace with the intention of warning them about the presumably compromised servers and web pages, but there wasn’t a response at the moment in which they wrote the mentioned blog post.
Some of the plugins that were breached are Blog Designer, Bold Page Builder, Form Lightbox, Hybrid Composer, Live Chat with Facebook Messenger, and all former NicDark plugins, which include nd-learning, nd-travel, nd-booking and more; Visual CSS Style Editor, WP Live Chat Support, and Yuzo Related Posts.
According to specialists in the matter, the WordPress plugins hack injected scripts which resulted in malicious redirects to compromised websites and annoying popups in visitors’ web browsers.
Trying to Install a Backdoor
The hack has existed since the month of July, or at least that is when it was spotted. Since that moment, cybercriminals have included another script that attempts to install a backdoor into the page via an exploit of an administrator session.
People are no doubt wondering what to do about the hack. After all, WordPress is a widely used web hosting platforms, one that powers thousands of blogs and websites from all over the world.
Before talking about possible solutions, it is worth noting that whenever the administrator signs into an infected WordPress website, the newly developed script attempts to use their credentials to come up with a new admin account using the name wpservices.
The new “wpservices” admin account is actually linked to the email address firstname.lastname@example.org.
The cybercriminals manage this new, malicious WordPress account and implements it as a mean to complete several other acts. According to the Wordfence researchers, the fact that more malicious administrators accounts are being created is a clear sign that hackers may be getting ready to inflict more damage through compromised WordPress pages.
As a possible solution, website administrators that use WordPress as a web hosting platform are recommended to keep all their plugins up to date, to their respective latest versions, in order to avoid their pages from being targeted and exposed to the hack.
Important: Keep Plugins Up to Date
The fact remains that the hacker or hacking entity is actually targeting older vulnerabilities, which would mean that those that have their plugins updated have lower odds of being the newest victims of the vulnerability.
Additionally, researchers and specialists are also recommending deleting all malicious accounts that were created by the malware and further performing a scan to their pages to make sure that no other backdoors have been installed.
When it comes to cybersecurity, especially in our current reality, it seems that there is no way a person can be 100 percent safe while venturing into the online world. That is why awareness should come first, and then, a course of action can be planned.
Something that may seem harmless like WordPress plugins could end up being extremely detrimental to online privacy and security.