Checkpoint Uncovers More Hacked WordPress Sites
Research company Check Point Research on their site after having uncovered more than 10,000 sites that were compromised in a well-planned "malvertisement" attack that redirected visitors. Each of these 10,000+ websites were powered by WordPress, using an older version of the content management system (cms) software (4.7.1), which made them vulnerable to Remote Code Execution attacks via JavaScript.
What’s Really Happening?
Visitors to infected websites were redirected to an IP (134.249.116.78). This IP then redirected users to an advertising page that was owned by an Ad Network. Finally, the page redirected to a site containing a malware download.
While redirections such as this are common, Check Point's investigation into the issue uncovered a shocking point: the domain to which visitors were being redirected was actually owned by ad network AdsTerra. This is not the first time that AdsTerra has been involved with something like this: the ad network was involved in the Magnitude Exploit Kit infection chain several years ago.
The further the investigation went, the stronger the connection between AdsTerra and several exploitations became. Unfortunately, many ad resellers (including ExoClick, EvoLeads, and AdventureFeeds) work with AdsTerra to create revenue streams for publishers. This scheme was not only able to infect over 10,000 websites with owners otherwise unaware, but also impacted world wide web publishers who were relying on AdsTerra or add resellers to bring in revenue.
The result is not just a loss of traffic from WordPress-powered sites. Infections like these cast a shadow on ad sellers. Furthermore, professional website and online store owners who fall prey to malvertisements and other malware must work to regain trust from their visitors, not to mention repair their infected sites. If a business's competitor has a website that is secure, visitors may very well prefer to spend their time and money on the competitors website.
Is There Any Recourse ?
It's unclear if owners of the websites infected by this malvertisement (as well as publishers who use AdsTerra) are aware of the misuse to even begin reparations.
While this particular infection may be preventable if WordPress blog and website owners keep their WordPress core software updated, not everyone does this. In fact, a recent Hacked Website Report prepared by Sucuri indicates that on average nearly 40% of WordPress sites are running outdated code. Plugin incompatibility or simply lack of knowledge can lead to website owners using outdated versions of WordPress. Forgetting to upgrade plugins along with the core is another reason why WordPress is so susceptible to infections.
This also assumes that the current version (of WordPress or a plugin) has no vulnerabilities (and that the WordPress foundation will roll out updates if any are discovered). But being open source means that anyone has access to the source code needed to create a website and can learn how to modify it for their own purposes.
Is it Time to Consider an Alternative to WordPress ?
WordPress certainly has appeal as an open source project that anyone can use -- 31% of all websites use WordPress -- but it's just as appealing to hackers looking for an easy target. A vulnerability on one site could provide access to 75 million other sites that form part of the WordPress community.
Indeed, WordPress continues to be the most hacked CMS (and Check Point has reported on this in the past) while some other website builders and content management solutions have even seen a drop in new infections. It might be time to consider whether the WordPress open source software really is a good deal, especially when it can be so costly to maintain in the long run.
