Ah... Another bright sunny day in the
Internet of Cesspit... Why do we even bother!
Its either full-on Hacking or full-on Surveillance...
Which would you like with your Internet sir???
Website admins are urged to update their WordPress installations as soon as possible to the latest version following a rash of attacks exploiting known vulnerabilities in the web publishing software. Researchers at Malwarebytes say miscreants don't appear to be targeting any one specific bug, but rather a full array of flaws …
I followed one of the infected Wordpress sites using a third party URL scanner that lead me to the warning in the title of my comment that contained official looking Apple icons in the bogus virus warning that warned me I should click the "Scan Now" button which downloaded: "MacCleaner.pkg".
(I am not using a Mac but the useragent strings I used to spoof said I was.)
Using the third party URL scanner allowed me to collect a treasure trove of info.
And as always, these fake virus warnings all have something in common:
#1 Hosted on Amazons Cloudfront
#2 Comodo certificates
#3 Google analytics
#4 DoubleClick
It's pretty sad when ordinary citizens are forced to take action against this kind of fraud.
(I believe I now know why users complaints to Google regarding fake virus warnings that link to bogus "antivirus/cleaner" apps on the Play store are ignored. )
Seems many people / organisations get as far as throwing up some site using these tools and then never look after them (or don't know why/how to).
For example the rucksack club at my university is now showing a listing of "happy ending" massage offers and nobody is at home to sort it out.
I am involved with a small voluntary group which has a Wordpress website. Over the years, we either have nobody who wants to really run our website, or else an enthusiast who takes it in a direction not all of us agree with.
The site is with a hosting company. We hope they know what they are doing in relation to the problems this article reports.
"The site is with a hosting company. We hope they know what they are doing in relation to the problems this article reports."
That depends. When you say "a hosting company" do you mean a company that specifically handles (and in your case handled) the installation, set up, and maintenance of WordPress, or do (did) they simply provide all the tools necessary for you to do it all yourself? If the latter, you need to look after it. (You = the group, obvs.)
Why? Because one of my hobbies is to trick them into thinking that I am in need of their 'services' when in actuality, I am scamming them. The longer they stay on the phone with me, that is time they can't scam someone else. In some cases, they downloaded and ran programs off my VM that they were connected to and ended up destroying their computer. WannaCry anyone? Hey, if they were legit, they wouldn't be downloading fake word documents titled banking_details.doc.exe with the extension hidden and a word doc icon.
These fake tech support scammers will syskey your machine and then you have to pay $200-300 to to get the password to unlock your machine. That is how they make money. And a lot of them use iTunes gift cards, and they are mostly out of India...at least that's been my experience.
I am not a fan of Wordpress, largely because of the security issues.
But it can be used in a way that is probably not noticeably less safe than most other systems.
1. Install a decent security plugin, and switch on all the options (I've been use All in One WP Security) - that will block a lot of nasty attack vectors, and also set things up for AUTOMATIC UPDATE of WP! Jesus! How difficult can it be!
2. DON'T install those tempting little plugins from god-knows-where. The ones that will turn out to have an interesting hole, 3 years after the sole developer died in a terrible tragedy involving cold soup, a rhododendron and stolen bitcoins.
3. Only use WP for fairly straightforward sites, ideally brochureware. If it's going to be running e-commerce, look elsewhere.
4. And if you're paranoid, look out for some really solid hosting. I run a number of shared hosting packages, but keep the WP sites on a separate package so any successful attacks can't access more important stuff.
CMS systems are attractive to businesses because it allows some PR bot and other departments to post/edit content without having to know how to use HTML/CSS and or object oriented programming.
The amount of lines of code to allow for this functionality far outstrips the amount of code needed to produce the same content if it was done by someone who knows how to code it. Straight away I can see that's a problem. It becomes even more of a problem when you factor in pluggins and the fact the popularity of them means they're going to be targeted by automated tools like wpscan and joomscan
Newer versions of WP simply update themselves, and as far us plug-in updates I get an email notification when a plug-in needs updating, and that's simply logging into the site, clicking 'Updates', and then checking the box for the plugins to update. A minute later, it's all updated. Total time spent updating the site? Literally less than 2 minutes.
It's not just "newer versions" automatic update - automatic update was introduced in version 3.7, which was released on October 24, 2013. FIVE YEARS AGO.
Take ANY five year old server OS and there are lots of security issues - why would you expect a web application to be any different?
If someone is still running something that old then it is obvious that they DON'T have a "web admin" so telling "web admins" that they need do update isn't going to do any good.
It does, however, create a market opportunity for someone who wants to scan websites looking for potential customers. Nothing illegal as it doesn't require a deep probe, just grab the index and see if there is a "<meta generator=" line with a version of wordpress that is old. If there is one, then you know that (1) they are using an old potentially vulnerable version and (2) they aren't using any kind of security plugin. All you then have to do is convince the site owner that they need an upgrade.