12,000 Phishing sites hosted on compromised WordPress installs

Hijacked websites running the popular blogging platform were used to stage Phishing campaigns targeting PayPal and Apple customers.

wordpress logo 900x600

Stats compiled by Netcraft show that 12,000 WordPress installations were compromised in February and used in Phishing campaigns that targeted Apple customers and PayPal users. In addition, compromised WordPress installations were also the source of a significant amount of Web-based malware during the month.

Pulling the stats, more than 7 percent of all Phishing attacks blocked by Netcraft during the month were hosted on compromised WordPress domains, which translates into 11 percent of the unique IP addresses wrapped-up in the scams. Further, 8 percent of the malware URLs blocked by Netcraft during the month (representing 19 percent of all unique IP addresses) were serving malware to unsuspecting victims.

Of the sites referenced in the Netcraft study for the month, 17 percent of them targeted Apple customers, and 25 percent of them focused on PayPal.

However, like most Web-based development platforms, WordPress requires a level of management most passive webmasters and organizations cannot provide. Security updates are automatic now, since the 3.7 release, but that wasn't always the case. Even with automatic updates, plug-ins and themes still need to be maintained on some levels, and the code that goes into homegrown developments isn't always perfect.

Still, even the stable core code can cause problems.

An example of core code causing problems was observed recently when 162,000 WordPress domains were hijacked and used to initiate a DDoS attack. In 2012, poorly protected WordPress installs were blamed for the rapid spread of the Flashback Trojan. That same year, 30,000 WordPress installs were compromised and used to spread Rogue Anti-Virus.

Even developers and active administrators can inadvertently expose WordPress-based projects to malicious acts, such as those who expose database backups to Google indexing. Or the TimThumb.php problem that impacted every WordPress installation that was online at the time.

The findings from Netcraft aren't shocking. Attacking WordPress or any other CMS platform for a Phishing campaign or drive-by-malware attack allows the criminal(s) behind the scheme to leverage an important object – trust.

Just last week (March 19), EA, one of the world's largest gaming companies, had one of their servers compromised and two of their domains used to initiate a Phishing attack against Apple customers.

"The phishing site attempts to trick a victim into submitting his Apple ID and password. It then presents a second form, which asks the victim to verify his full name, card number, expiration date, verification code, date of birth, phone number, mother's maiden name, plus other details that would be useful to a fraudster. After submitting these details, the victim is redirected to the legitimate Apple ID website... The compromised server is hosted within EA's own network."

The number of victims in this recent Phishing attack isn't known, and EA fixed the problem in less than a day. However, the point is, EA is a trusted brand, and the attack was sure to fool someone, and given the Origin (no pun intended gamers) of the attack, EA's domains are likely to be allowed to bypass most reputation filters.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.