Is your Web Site a prime target for Cyber-Criminals?

Nov 5, 2014

Blogging became popular around 1999 with the arrival of platforms that facilitated publication of content to the web by non-technical users. WordPress was such a platform and quickly became the most popular of its kind with more than 74 million web sites using it today. Although initially created to make blogging easier and convenient, it is used today by organizations of all sizes to manage content for their web sites. Cyber-criminals took notice and saw an opportunity to expand their operations by developing methods and tools to effortlessly hack WordPress sites for huge profits.

In October 2014, an analysis from the security firm Proofpoint revealed that half a million systems became infected by Qbot by visiting hacked WordPress web sites. Qbot is a malware that monitors user internet sessions and records online banking traffic to steal credentials.

Captured banking credentials are extremely profitable for cyber-criminals since they can be used to transfer funds overseas and, to date, more than 800,000 online banking transactions with all major United States financial institutions were recorded by the malware and sent back to a Russian cyber-crime group. In 2010, a group of 37 individuals were indicted for a similar international cyber-crime operation which was responsible for illegally transferring $3 million in stolen funds.

With the goal of generating the greatest profits by minimizing costs, today’s cyber-crime operations are managed like well-oiled businesses. Which such a high adoption rate for WordPress, investing in hacking tools research and development for this platform was a no-brainer.

Although the last version of the platform is secure, it can still be vulnerable to cyber-attacks due to its system of multiple open-source plugins created by individual developers around the world. Plugins are modules developed by third party software firms or individuals, which can be deployed in a WordPress web site to easily add functionalities such as web contact forms, email newsletters and image galleries. Unfortunately, those modules are often developed with little or no consideration for secure software coding practices, often because of short time-to-market practices that are driven by an extremely competitive environment. Over time, cyber-criminals find and exploit vulnerabilities in the most commonly used plugins in order to quickly hack a large number of WordPress web sites.

Between May and July 2014, the security firm Sucuri found critical security vulnerabilities in four commonly used plugins. These particular plugins had already been downloaded more than 20 million times by WordPress web site operators.

A window of opportunity exists for cyber-criminals to exploit vulnerabilities before security patches are made available (if at all) by plugin developers. The less ­popular plugins are often abandoned, leaving web sites using them unknowingly exposed and without easy solutions.

Plugin vulnerabilities combined with a lack of awareness and implementation of basic security practices for site management leave organizations exposed to unknowingly becoming a conduit for cybercrime operations. Moreover, compromised web sites can be used as a stepping stone for cybercriminals to penetrate other systems within the organization’s network and cause ever more serious damage.

Although groups targeting WordPress web sites today are mostly interested in infecting visitors with malware, organizations storing information that can be monetized, such as credit card data or highly sought after intellectual properties, should not exclude the risk of a data breach.

How can organizations protect themselves against cyber-attacks targeting their web sites? A good first step would be to identify the development software. Next, a security audit specialized in identifying its particular vulnerabilities should be executed to pinpoint and prioritize areas of improvement according to their level of risk. Common areas of improvement for organizations include deploying security patches in a timely fashion, improving software configurations to protect against common cyber-attacks, and putting in place continuous monitoring to quickly detect and respond to cyber-intrusions.

A security audit should be able to quickly identify if a web site is already ­compromised and distributing malware to its visitors. It should also be executed at regular intervals to measure improvements and ensure that the security practices in place continue to be effective against the latest cyber-attacks.

Martin Verreault CISA-CRISC-CCSK-ITIL, is an Information Security Advisor at EGYDE – Information Security.
© FrontLine Security 2014