Tuesday, June 19, 2012

Compromised WordPress Blogs: A Phisher's Paradise

One of the ongoing trends in the phishing attacks the VRT monitors is the use of poorly secured WordPress blogs as staging points for exploit kits. Every time I hover over a link in the latest "UPS Tracking" or "Airline Ticket Confirmation" email, I'm looking for "/wp-content/", "/wp-includes/", or some other indicator of a poor, unsuspecting person who thinks they're telling the world everything they know about growing tulips, when in fact they're unwittingly serving as an accomplice to cybercrime. More and more often, those indicators crop up, with blatantly compromised web sites serving as the first point of entry into someone's Blackhole, Phoenix, or other exploit kit.

How often, you ask, are compromised WordPress installs being abused in this manner? I've been collecting phishes and other malicious emails for the last month or so, and in that time, over 5 percent of these messages have contained links with a WordPress-related URL in them. Given the fractured nature of attacks on the Internet - your average cybercriminal is generally looking to avoid detection, and as such is always looking for the latest obfuscation technique - any time you get a common thread appearing in attacks at that sort of a rate, it's actually significant from a detection perspective.

Of course, you can't just generate an IDS event every time someone requests a WordPress-related URL, even out of an email link - you'd end up melting your sensor, or the network itself if you were dropping these requests. What you can do, however, is look for some common techniques used by attackers against specific WordPress vulnerabilities, and use your knowledge of what should be in a given directory on a WordPress install to hook some really nasty phish on the proverbial line.

SID 21941, which was released on May 2, does exactly this. The rule looks for URLs specific to the Fgallery plugin - a relatively popular module for posting images on one's blog. Since the "/fgallery/" directory used by the plugin should only ever contain image files, the rule was written to look for file names ending in ".php" within that directory - a clear sign that someone has abused a remote file include vulnerability to upload a malicious page. The rule, which has been enabled in the balanced policy the entire time, has yielded no false positive reports to the VRT, and does an excellent job of catching compromised sites being used for nefarious purposes.

When a creative new phish hit inboxes yesterday - claiming to be a Verizon Wireless monthly statement:

I noticed that the URL went to < redacted > /wp-content/uploads/fgallery/vz.html. Running that URL through our sandbox, a clear-cut case of Blackhole emerged immediately; had I clicked the link from an actual workstation, I'd have been owned in no time flat.

Of course, while that URL was close to the pattern from SID 21941, the use of an HTML file instead of a PHP file dictated a new rule; that's being released in today's SEU as SID 23171.

The thing that terrifies me as someone attempting to secure the Internet, however, is the sheer volume of WordPress plugins vulnerable to remote file upload attacks just like this. Running a Google query for "wordpress file upload vulnerability" yields 459,000 results, and the first several pages of results returned are littered with live exploits that are ready to use on the Internet at large. If you're running a WordPress installation somewhere - seriously, make sure you're patched right now, because if you aren't, the chances that you'll stay safe from ownage are about as high as a snowball's surviving Washington, DC heat on an August day.

The VRT is constantly monitoring networks around the world, looking for live exploits like these, and will be adding rules for other commonly abused WordPress modules as they crop up. If you have suggestions for things you see being exploited regularly, please send them to research < at > sourcefire < dot > com, so we can make sure to add coverage promptly. In the meantime - be careful where you click, especially where WordPress is involved.


  1. I have seen a number of phishing emails using compromised WordPress sites (among others) that seemed to originate with hacks of AOL mailboxes just recently. The emails apparently are being sent out to the entire address book of the hacked accounts.

  2. The ease of default webservice construction and distribution will always present configuration issues which lead to weak security. Most users will go for default because it's easy. Make the security just as simple will help.

    The security issue with popular, low cost and free services such as WP is that they are offered to Internet community at little or no cost and they need to advertise themselves to help funds in the future, hence the presence of logos and trademarks. You may be able to cloak some areas but expecting the average revolutionary web blogger to spend more of their time on security configuration (beyond software updates because its easy) than content generation may be a tall ask.

    Exploiters will use any information that can get hold of, if it’s not in the URI it will be somewhere else. Throwing the webpage into error for example. If the software manufacturer has to comply to "easily configured secure" standard then the Internet is on its way for becoming more secure.

  3. There is no doubt that public exploits for WordPress plugins and themes abound. Some in the past year have been real doozies (eg. timthumb).

    It is worth pointing out that any system as popular as WordPress is bound to be an attack target.

    You mention that 5% of the links in malicious emails were wordpress sites. I did a recent study of sites in the Alexa top 1 million sites and found 16% of the sites are running on the WordPress platform. Indicating that WordPress deployments are far more than just blogs about "Tulips". :)

    WordPress in Top 1 Million Sites


Post a Comment

Note: Only a member of this blog may post a comment.