The Latest in IT Security

Is WordPress.com SPAM Campaign Due to Compromise?

17
Oct
2012

Sucuri – At this point it’s unclear of the severity, as WordPress.com has not released anything public, but I would say the odds are not in their favor.

The Hacker News (THN) put out an article this morning titled: 15000 WordPress Blogs Hacked For making Money From Survey.

Naturally my first reaction was, meh, it’s likely a fluke of some kind, but as I read it I became more suspicious. It all started with this email:

Because of the Phishing attempt on .ORG users about 6 months ago, I couldn’t help but think the same here, until you run this on Google Search:

site:wordpress.com “Im getting paid!”

Go ahead and open Google Search and run that search, you’re likely to get something like this:

If you compare to what THN provided, it’s a few thousand less than originally reported, but still an impressive result. Why impressive? Well, for 12,000 – 15,000 blogs to all of a sudden share a similar post in a shared environment is highly unlikely. It quickly fails the sniff test.

If you click on most of the links they’re all quickly being shut down, but there are still a few live ones. They all seem to have been posted on the 14th/15th of this month, and most seem to refer back to the following site that we have long since blacklisted:

Something Doesn’t Smell Right

Obviously we don’t work at Automattic, the company behind WordPress.com, but we sure do look forward to learning more of this incident.

For those on WordPress.com, I would offer the advise of going in and updating your credentials, but here is the fact of the matter – The odds that your account was compromised via one of your user accounts is highly unlikely.

Own one, own them all!

If I were doing the attack, I would find a way into the environment and figure out a way to touch every server. The feature is obviously already there, it’s how they’re all managed; if I’m not mistaken, it’s just one big Multisite configuration. You find the mechanism that touches each site, compromise that, embed a shell that allows you to own it, and cover your tracks. Whatever that replication and communication process is, I assure you it exists and yes we’ve seen it before.

That being said, the email is then a bit misleading and this is why:

It implies that the users credentials were compromised.

OK, that’s fair, but the question is how? It’s highly unlikely it was a brute-force against the login page. Just not realistic if I know the .COM configuration. Surely they have mechanisms in place to avoid BruteForce on the login page, right?

Assuming they do, then that means if the credentials were compromised, it happenened in an internal component, and likely from a database dump of some kind. Running a few tools like CAIN or JohnTheRipper could easily crack the default DB storage hash implemented for passwords. Then again, that’s if it were credentials, right?

There are a lot of identical posts across various websites coming up in Google, is it safe to assume a common user was used with enough privileges to post across all sites? Interesting, don’t you think?

If any of you hosts with WordPress.com, and can share more details, that’d be pretty awesome.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments