Hackers Exploit WordPress Themes, Plugins for Hawk Scams
If you visited a websiteit these last days and summer randomly redirected to the same pages with sketchy “resources” or unwanted advertisements, it is likely the site in question was 1) built with WordPress tools and 2) pirate.
Researchers from Sucuri, a security provider owned by GoDaddy, unveiled on Wednesday that the hackers behind a months-long campaign focused on injecting malicious scripts into WordPress themes and plugins with known security flaws were at work again.
It is important to note that these hacks are related to themes and plugins created by thousands of third-party developers using open source WordPress software, not WordPress.comwho offers hosting and tools for create websites. Automattic, the parent company of WordPress.com, is a major contributor to the software but does not own it.
According to Sucuri, there are 322 WordPress sites with plugins and themes that were affected by this new exploit, although “the actual number of impacted websites is likely much higher.”
In April alone, hackers used this tactic to infect nearly 6,000 sites, said Sucuri malware analyst Krasimir Konov.
“This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they will be chosen to receive unwanted ads even when the site is not open – and the ads will appear to come from the operating system, not a browser,” Konov wrote.
If that wasn’t enough, Konov said push notification activation maneuvers are one of the most common ways for hackers to run tech support scams. These are annoying pop-ups that pop up out of nowhere telling you that your computer is infected and you need to call a phone number to get it fixed. Don’t do this. The Federal Trade Commission, experts in detecting scams, pointed out that real safety messages and warnings won’t tell you to call a phone number for technical help.
WordPress.com told Gizmodo on Thursday that plugins and themes are written and maintained independently outside of the core WordPress software. Regarding Sucuri’s report, the company said that any plugin or theme hosted on WordPress.org, the software’s website, “is regularly scanned for vulnerabilities.”
“If security issues are identified, plugin and theme authors are notified immediately. Specific to Sucuri’s report, any plugin that was not fixed was either shut down or not hosted on WordPress.org. WordPress.org also provides security resources for theme developers and plugin developers,” said a WordPress.com spokesperson. “For self-hosted sites, WordPress users are advised and encouraged to update the core software, plugins and default themes.”
Sites hosted on WordPress.com are also offered services that patch vulnerabilities like those referenced in the report, the spokesperson added.