Phishers are moving beyond automating with phishing kits and Telegram bots to hacking and then capturing websites to place malicious content on them as opposed to registering new domains.
In a blog post Aug. 14, Kaspersky researchers said along with tucking a phishing page on the website they hack, scammers then steal the data on a server, completely disrupting a site’s operations.
The Kaspersky researchers said that abandoned and infrequently managed websites are popular targets for scammers. While hackers do target more popular sites, the researchers said many of these sites with less traffic don’t have security people who maintain the site and keep to a patching schedule. They also are left dormant for long periods of time so nobody checks up on the site to see what may have been published, another major appeal for scammers.
To make matters worse for smaller website operators, W3Tech reports that 43.1% of all websites on the internet are powered by the WordPress content management system. While very functional, there are numerous plug-ins that users have to update to keep the site secure. Hackers love finding new vulnerabilities in these many plug-ins and the Kaspersky researchers said they are quick to exploit them.
Basically, hackers are breaking into WordPress websites and use them to trick people into giving away their personal or financial information, explained Mika Aalto, co-founder and CEO at Hoxhunt. Aalto said the scammers exploit weak spots in the website’s code or design and then run their own malicious code or access the website’s control panel without a password.
“Once they’re in, they can do whatever they want with the website, like adding fraudulent credential harvesting pages, stealing user data, or installing malware,” said Aalto. “To prevent these breaches and subsequent attacks, security teams need to keep their WordPress websites updated, use strong passwords and two-factor authentication, limit login attempts, use a web application firewall, and scan and clean their website regularly.”
Casey Ellis, founder and CTO at Bugcrowd, said while WordPress is easy to update in terms of content, it also assumes a baseline level of technical competence and knowledge and the vast majority of bloggers and small business owners who run WordPress sites are not cybersecurity experts. WordPress certainly needs updating on a consistent basis, especially if the business has a website that has a number of plug-ins and third-party code, said Ellis.
“My general advice after someone gets their WordPress site hacked is to migrate it over to a SaaS host where security maintenance and hygiene are outsourced to a third-party,” said Ellis. “Implementing a third-party web application firewall in front of the website can prevent a range of attacks, and implementing — at a minimum — a vulnerability disclosure program to allow good-faith hackers to let you know if they identify an imminent risk is simple to implement and puts your website ahead of many others which are out there.”
Roy Akerman, co-founder and CEO at Rezonate, said the Kaspersky research highlights the vulnerability of smaller websites, noting that hackers target them because of user tendencies to reuse passwords across platforms. Akerman said this habit lets hackers “laterally move” and access multiple assets using a single compromised password.
“Site owners should delegate credentials management to established players like Google or Microsoft, employ robust monitoring for any access anomalies, and maintain open communication with users about potential security issues,” said Akerman.
Rom Eliahou, director of business development operations at BlueVoyant, said traditionally, phishers register a lookalike domain resembling the target's name, and then host the impersonating content on it. As this method has become well-known and is heavily monitored by security vendors, Eliahou said attackers seek cheap and easy alternatives, and using a compromised domain is one of them.
“The compromised, existing domains essentially leave no trace as vendors are largely examining the newly created domains to ensure they are safe — there aren't a ton of resources poured into ensuring that the previously established domains are still safe,” said Eliahou.