Missing WordPress Upgrades Won’t Make You More Vulnerable to Attacks
It didn’t come as a surprise, at least to me, that the recent massive malware campaign had swept through many WordPress sites, including those that have upgraded to the latest version (3.3.1). WordPress alone has fallen prey to many attacks in the past.
All the while, several blog posts asserted that the campaign would compromise only those sites that have yet to upgrade to the latest version. But this speculation proved to be, well, just a speculation when security research firm, Websense, found that 86 percent of the 30,000 websites analyzed have been compromised.
Websense stated: “We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment.”
The firm said 94 percent of the server side that was compromised was dominated by PHP.
Websense added: “Digging a little deepter, we were also able to examine which CMS were victims of the attack. Initially, when we discovered the attack, we found only WordPress sites, and after a week or so, the picture did not change that much. WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites are also affected, with all other content managers making up a tinier slice.”
Looking into the websites compromised would only make you think upgrading to the latest version of WordPress is no necessity. Now this may come as a surprise, because 64 percent of the WordPress sites compromised were actually using the 3.3.1 version, while 5 percent were using the 2.7.1, 2.8.4, and 2.9.2 versions.
Websense cited the following as the primary causes of getting exploited:
- Weak passwords / stolen credentials
- Vulnerable third-party modules used in WordPress
- Security holes in the underlying server infrastructure
The malware would redirect visitors of the compromised site to a fake AV site that would lure them into downloading a Trojan masking as an anti-virus.
According to Websense, the fake AV site would perform a scan on the computer and later would alarm the user of fake malware detections of various kinds of Trojans. The page would even display a “Windows Security Alert” dialogue box in it, making it appear like a genuine Windows Explorer window.
“The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser,” Websense said.
Scared to hell that they might lose their computers to the detected Trojan, the users would have no immediate choice but to download and run their “antivirus tool” to remove the supposedly found Trojans, only to execute the Trojan itself.