Welcome to Tales from the (not so) Secure Web – an ongoing roundup of major security issues from around the web. Sorry for all the #doomandgloom,
A big sigh of relief
A WordPress vulnerability reported to the WordPress security team over 7 months ago was finally patched on July 5, 2018 in WordPress version 4.9.7 (Serious phew!). This vulnerability allowed for users with privileges as low as Author to delete any WordPress file. In case that wasn’t bad enough, the attacker could also circumvent some security measures and execute code on the server.
Size doesn’t matter
According to a Sitelock security report, no site is too small to hack with most sites attacked an average of 50 times a day! Many of these attacks are targeting websites’ visitors – to try to exploit them for personal information, mining cryptocurrency, or manipulating search engine rankings.
Cryptomining and punctuation
CoinImp (competitor of CoinHive) the notorious in-browser cryptominers, has been exploiting a little-known DNS security hole that abuses an optional final period in domain names, like www.domain.com. ← see the extra period at the end? This cryptojacking malware targeted a vulnerability in Drupal sites which was patched on June 6. Sucuri also spotted attacks that inject scripts into WordPress database tables which replace Google ads with ads from alternative networks.
The Red Hen restaurant steeped in Trump-related controversy had their site hacked in June and redirected visitors to Viagra sites and the like. The site is running on WordPress. Surprised?
The jealous malware type
One more reason to keep your site protected is that if you don’t, the BabaYaga malware will do it for you! Yes, you read that right. This malware is the jealous type and removes all other malware on your site and even updates your WordPress site to hide its tracks. When the jealous rampage is over, the malware injects sites with affiliate links, and if a user buys something from the affiliate sites, the hackers also make a profit.
Apparently, Ticketfly created 4-500 WordPress sites that weren’t being constantly updated. What could possibly go wrong?! Here’s how it ended: 26 million users had their details leaked, and a bitcoin was possibly spent. Update all the things, people! Or use Strattic (hint, hint).
Chrome v68 rolled out this week and the new version will mark all non-SSL sites as “Not secure”. Google is trying to not-so-subtly motivate site owners to make their sites secure with an SSL certificate. Here’s a look at how non-https sites will look in the browser bar.
Apparently you can still use the password “password” on Amazon, Reddit, and other top websites. Not great. It’s been said, and said again, but just in case, use strong passwords everywhere!
Interested in hearing more about #rainbowsandsunshine instead of #doomandgloom, feel free to contact us at firstname.lastname@example.org.
Tags: doomandgloom, hacked, hackers, malware, security, WordPress