WordPress Phishing: Target of Cybercriminals Worldwide

WordPress phishing attacks are now commonplace, with the sites a target for cybercriminals worldwide. WordPress and Phishing now go hand in hand. WordPress sites are being used by cybercriminals to obtain a wide range of sensitive data from users. In some cases, those sites are created by cybercriminals. In other cases, vulnerabilities in WordPress sites are leveraged and new content is created – content that captures users’ information. Exploit kits are also loaded onto the sites that download malware.

Today’s technical press was full of headlines about the recent WordPress updates -eWeek’s WordPress 4.01 Updates Millions of Sites for 8 Flaws for example.

The WordPress.org website describes the latest WordPress 4.0.1 Security Release as a “Critical security release for all previous versions” and says we “strongly encourage you to update your sites immediately.”  According to the release, all versions of WordPress are affected by a critical cross-site scripting vulnerability that could allow anonymous users to compromise a site.

At PhishMe this is not big news. In fact, it’s not really news at all. Why? Well, we know that the great thing about WordPress is the platform makes it quick and easy for any user to make a website! We also know that worst thing about WordPress is that it makes it quick and easy for any user to make a website! Not only does it make it very quick and easy for cybercriminals to make new WordPress sites, the platform is used by legitimate users to create a site, that they then forget about maintaining. Having a website and then choosing not to maintain it, or perhaps not knowing enough about web security to be capable of maintaining it, is actually a very dangerous thing.

When people ask us about WordPress, we often tell them a story. Once upon a time, in the summer of 1983, my brother John and I went hiking in northern Michigan with a couple Eagle scout friends of ours called Philip and Michael. We assured our parents we would be safe in the woods for a week by ourselves, after all, our friends were Eagle Scouts! As we were hiking, dozens of miles from the nearest paved road, we came across a small shed in the woods and inside the shed was a shotgun and a big box full of shells!

Being extremely responsible children, we of course notified the nearest authorities (ahem).

Having a WordPress website and failing to maintain it is exactly the same, in cyber terms at least, as leaving a loaded shotgun unattended on your front porch in a neighborhood full of curious teenagers. A dramatically high number of websites that are compromised and then used to distribute malware, to host malware C&C servers, and to host phishing webpages are made malicious as a result of carelessness by webmasters. Essentially the same as leaving a loaded gun on the porch or going on holiday and leaving the front door wide open.

When a curious teen or a convict picks up the gun and does harm to people, or when the house is burgled, it is easy to say “It wasn’t my fault!  I didn’t know!”  But perhaps we should start educating webmasters so they know that is not a valid excuse. Since we now know that cybercriminals target WordPress sites, leaving the sites with known vulnerabilities is nothing short of negligence. Your website could easily be turned into a WordPress phishing site if vulnerabilities are left unaddressed. Your site may also be used to infect all of your customers with malware.

How often does this really happen? One way to find many of these WordPress phishing sites is to look at the URL used in a phishing attack for evidence that it is a WordPress site. Many of these phishing attacks take the form of a Remote File Inclusion attack that often allows the user to inject their phishing content into a subdirectory of either the “wp-admin” directory or the “wp-content” directory.

We ran some searches in through our threat intelligence system to find out how many such pages we’ve seen. Just today there were:

  • Alibaba phish on “bluribbon.com/wp-admin” and “ambitionthekid.com/wp-admin/”
  • credit card phish on “resepmasakanalaindonesia.com/wp-includes”
  • TD Bank phish on “mariabobrova.com/wp-content/” and “jaw-photo.com/wp-content/”
  • generic email phish (AOL/Google/Microsoft/Yahoo) on “osiedlaimiasta.pl/wp-includes/” and “mariogavazzi.it/wp-content”
  • Paypal phish on “deluxetravelviajes.com/wp-content/”
  • Standard Bank phish on “woodsidenylawyer.com/wp-admin/”
  • AOL phish on “arkansaswebsiterentals.com/wp-content/”
  • Yahoo phish on “fenwaymarketing.com/wp-content/” and “pierrefauchard.com.br/wp-content/”
  • MayBank2U phish on “cascalhoriopreto.com.br/wp-admin/”
  • Halifax phish on “ics.com.ph/wp-admin/”
  • Royal Bank of Canada on “ohtleathercrafts.com/wp-content/”
  • Bank of America phish on “secureserver.net/~cables/wp-admin/”
  • BT.com phish on “accionpreventiva.cl/wp-content/”

And the business day is only half-way done!

Since January 1, 2014 we have seen:

  • 12,416 confirmed phishing URLS that contained the string “wp-content”
  • 6,054 confirmed phishing URLs that contained the string “wp-includes”
  • 4,255 confirmed phishing URLs that contained the string “wp-admin”

Those URLs were on 6,627 different domain names on 4,947 different IP addresses, at 164 different hosting companies. Sadly, the statistics make it clear that WordPress phishing websites tend to be clustered at hosting companies that offer cheap hosting with poor technical support. Often this is the result of “resellers” who use servers in those hosting company data centers to offer even cheaper webhosting deals with even poorer technical support.

Our checks showed six hosting companies had more than 100 domains hacked using a WordPress Remote File Inclusion attack — and five of those are in the United States!

We can’t put all the blame on the hosting companies. Many of them are providing “do-it-yourself” web services where the webmasters have chosen to NOT do-it-themselves when it comes to security!

Do you know a WordPress webmaster?  If so, make sure you share this article with them and have them upgrade by following the WordPress 4.0.1 Security Release guidance. If you do, you are helping to keep all of us safer from WordPress phishing attacks and malware downloads from WordPress sites!

Cridex Malware Authors Warn Lloyds users of Dyre

PhishMe malware researchers have been helping you protect your network by sharing information about the Dyre Trojan and Cridex malware on a daily basis for several months; however, in that time we have not seen any actions as bold as those used by the Cridex malware authors today.

Dyre is the current top banking Trojan being distributed by email, and it poses a significant threat to businesses and consumers. The Trojan steals credentials and the attackers use that information for financial fraud.

Threat Analyst Neera Desai let us know about this new threat from today’s Cridex attack, which uses a malicious Microsoft Word document to infect victims by pretending to be a Failed Fax Transmission.  On November 17, 2014, we received approximately 1,000 copies of this spam message before noon. The sending domain in the ‘From’ field was “interfax.net” in all of those samples.

Here’s the thing we’ve never seen before – A warning about Dyre malware FROM THE AUTHORS OF THE CRIDEX MALWARE!  If – and only if – you are infected with this version of Cridex malware, and you visit a website at www.lloydsbankcommercia.com, you will receive the following pop-up message when you visit LloydsLink.  PhishMe analysts spoke with Lloyds and learned that the message being propagated by Cridex malware was previously used on the Lloyds website in a now discontinued security advisory, but confirmed that if someone is seeing that message now it is a sign of a Cridex malware infection.

The security warning displayed to users that have been infected with Cridex malware is as follows:

21 October
Lloyds Banking Group is aware that the Dyre malware (also known as Dyreza) is currently actively targeting financial institutions across the UK including customers of LloydsLink online.

This is not a vulnerability within LloydsLink online but malware that resides on infected computer systems designed to steal user log-in credentials.

We recommend you:

1. Work with your IT security providers to confirm that your anti-malware solution is capable of detecting and removing the very latest variants of Dyre.
2. Carry out comprehensive scans of any systems used to access LloydsLink, as well as any other financial service institution or financial orientated software that you use and transact on.
3. Change Passwords and memorable information, following the comprehensive scans of your systems.

Please remember it is important to check all beneficiary details, especially bank sort codes and account numbers, before creating and approving all payments.
For more information on protecting your payments please visit our Security Centre.


Protect against viruses
Use anti-virus software and ensure that it is kept up to date – this should protect your computer against the latest viruses
Use up-to-date anti-spyware software to protect against programs that fraudsters can use to collect information about your Internet usage

Keep your software up-to-date

Occasionally publishers discover vulnerabilities in their products and issue \’patches\’ to protect against any security threats. It is important that you regularly visit the website of the company which produces your operating system (e.g. Windows XP) and browser (e.g. Internet Explorer) to check for any patches or updates they may have issued.

While it would appear that the content above is being provided by Lloyds, that is not the case. The content is being pushed into your browser by the Cridex malware in what is known as a “web inject”. The web inject occurs if the malware senses that a user is visiting Lloyds commercial banking services.

Astute network monitoring professionals will want to watch for network traffic to the IP addresses and Both addresses are hosted on OVH France, a network that has great loyalty from the criminals behind this malware.

While nearly 300 other banks are also specifically targeted by this version of Cridex, the only other one with a special “web inject” pop-up message from the criminals are customers of Barclays Bank. They receive this special message:

Your security obligations
Due to our recent security changes you should keep your smart card inserted in your card reader.
This security message will appear periodically.
Please tick the box to acknowledge these security obligations.

In addition to many UK-based banks, banks in Austria, Belgium, Bulgaria, Germany, Hungary, Ireland, Indonesia, Israel, Italy,  India, Malaysia, Netherlands, Norway, Qatar, Romania, Singapore, Switzerland, United Arab Emirates, United States of America, and Vietnam have also been targeted.

Several companies offering services to small and regional banks and credit unions are also being targeted, including CardinalCommerce, Electracard.com, ElectraPay.com, and Enstage.com.

PhishMe Intelligence subscribers can review further details of this attack online under Threat ID 2361.

Three Ways Reporter Can Enhance Your Incident Response Process

Most of us have been in an airport and heard the announcement over the loud speaker; “If you see something, say something.”  The airport has security personnel; however, their agents cannot be everywhere at once.  They collectively rely on travelers passing through the airport to be their eyes and ears in places agents cannot be.  In this way, as an airport traveler, you are a “sensor” watching for, detecting, and alerting on suspicious behavior such as unoccupied luggage.

What does this have to do with information security? Just as passengers can help prevent an incident in the airport by reporting suspicious activity, employees can help prevent a data breach by reporting suspicious email. The key to unlocking this valuable source of threat intelligence is to simplify the reporting process for employees, and to measure the results of your program to prioritize reports from savvy users.

New Whitepaper: “Evolution of a Phish: Phishing Delivery Mechanisms”

Phishing and malware techniques have been evolving since the time they were detected, conceptualized and recognized. Even though the malware payload or a phishing website URL is considered as the most important part from a detection and prevention perspective, we have observed a number of changes within the past few months in the phishing delivery mechanisms.

Our new whitepaper, “The Evolution of a Phish: Phishing Delivery Mechanisms,” covers an example of how obfuscation and file creation changes the detection process, and examines how attackers have gone from using simple malicious file uploads to more advanced techniques such as hiding a malicious file or link in plain sight.

Over the past few months, Ronnie Tokazowski has analyzed various malware campaigns that have used phising as the delivery method. The malware has evolved from attachments to links to 3rd party websites such as Dropbox. He’s also provided in-depth analysis of Dyre, which used a fax-themed phishing email similar to the one discussed in the whitepaper.

The interesting trend, however, is not that both phishing campaigns used similar themes, but the underlying methods of how attackers are trying to evade detection, and how there is no way to test the file until and unless the file gets formed in the browser. As an industry, we must acknowledge the reality of this evolution, and understand that new delivery mechanisms will continue to challenge all defense layers. This reality makes the last line of defense – employees – essential.

Download the Whitepaper


PhishMe Selected as a 2014 SINET 16 Innovator

CHANTILLY, Va., Nov. 4, 2014 – PhishMe® Inc., the leading provider of security behavior management solutions that develop employees’ into a layer of human security sensors against  spear phishing, malware, and drive-by attacks, today announced that it has been selected as a SINET 16 Innovator for the second consecutive year. As a member of this prestigious group, PhishMe will present its solutions to representatives of the world’s largest industry and government organizations at the SINET Showcase 2014 event on December 4, 2014 at the National Press Club in Washington, D.C. The Security Innovation Network ™ (SINET) is an organization focused on advancing Cybersecurity innovation through public-private collaboration.

Two Attacks… Two Dyres… All Infrastructure

Over the last few days, we have seen two waves of Dyre. The attackers have changed things up a bit and made it harder to analyze. By using memory forensics techniques, we took a peek into their command and control (C2) infrastructure. The #1 rule of memory forensics…everything has to eventually be decoded, and we’re going to use this to our advantage. Here’s a quick look at the waves of emails we received. (Figures 1 and 2)

Figure 1 phishing fax

Figure 1 — First wave of Dyre