Hackers are Using WordPress to Mine for Gold
The world is still in the grips of crypto-fever, and the price fluctuations of crypto markets shake the financial world and central banks regularly. After all, cryptocurrencies are decentralized, anonymous, and have an interesting method of creation - mining.
Since people have to expend tons of processing power in order to mine any cryptocurrency, crypto-mining has become a hotbed for computer hackers. A totally anonymous decentralized currency that uses processing power that you can hack from other computers... That sounds like a pretty perfect form of hacker currency to us.
So, let's dive in and see how hackers are taking advantage of this new currency, and why the WordPress open source project has become the world's hotbed for crypto-mining.
Let's take a quick look at cryptojacking and why it's popular. All of those cryptocurrencies out there, Bitcoin, Monero, Ripple, etc... (feels like there are a million now) share one thing in common - new "coins" are generated using lots of computer processing power.
Peopleuse processing power to solve hyper-complex equations which get more difficult every time they are solved. Each one that is solved, generates a coin. For example, in 2015 it took 343 megawatts of power to solve one of these equations that generated a bitcoin. That's more than 200,000 U.S. households consume daily. Today, that number is likely in the millions.
It's a little more complicated than that. But for the purposes of this post, you now understand why hackers are targeting websites, online stores, WordPress blogs, phones - literally everything to use them for their processing power.
Cryptojacking works by infecting computers with malware that steals processing power from them and uses it to attempt to solve these equations in order to generate some of that cryptocurrency.
It's the new kid on the malware block, and it's big.
How Does Cryptojacking Work
It's complicated, and it depends on the malware being used. Typically, cryptojackers will infect a host website with packets containing malware that use a visitor’s browser to download themselves onto host computers and infect them with malware.
Once the malware is in the host's computer, it borrows (steals) that host's processing power in order to try to solve those equations in order to receive cryptocurrency.
Not only that, it uses your website, not only as a way to infect your visitors, but as another source of processing power.
Essentially, any website owner’s worst nightmare comes true. Your website has become the source of malware being spread to your site visitors.
WordPress and Cryptojacking
WordPress is open source software. Open-source Content Management Systems (CMS) like WordPress are prime hunting grounds for hackers looking to cryptojack resources via malware.
Hackers have been creating massive botnets (tons of infected computers) in the WordPress community for some time, but the recent cryptojacking hype has led to some massive infrastructure leaks in WordPress.
Bad Packets Reports — a massive tech security firm — recently came out with the news that over 50,000 websites were infested with cryptojacking malware.
Not only that, news about popular WordPress plugins containing cryptojacking software has come to light. RiskIQ assessed more than 3,300 WordPress plugins that all showed critical security issues (some even purposefully containing malware.)
Have You Been Infected?
Figuring out if your website has been infected with cryptojacking software is difficult. Besides the fact that the hackers are always one step ahead of WordPress, recent malware packets have become increasingly difficult to detect even with computer security measures in place.
You may need to hire an expensive security firm to do an analysis, or worst case you may need to delete your whole website and start from scratch.
In the event that the damage is already done, there are some steps you can take to recover and fight a crypojacking attack. We suggest you use your favorite search engine to research ways to recover from a cryptojacking attack. Here’s one approach we found in a quick Google search, proposed by SECRITE:
The Web Filtering of your security solution should be used to immediately block and blacklist the offending website from where the cryptojacking malware is being downloaded.
Block browser extensions as you try to understand the attack and the scale of the damage it has caused.
Learn from the attack and put security measures in place so that a similar attack is not repeated. Organize debriefing sessions for stakeholders so that everyone is aware of what happened, the measures taken and what is being done to prevent such a thing again.
In the end, to protect your organization from cryptojacking attacks, it is important to have a robust network security solution in place. Security measures should include network security, management, backup and recovery of data and other critical network services together, optimally under a unified umbrella. If you’re running your website on a shared hosting environment, speak with your hosting provider to understand the measures they’ve put in place.