{"id":14931,"date":"2019-03-26T08:10:03","date_gmt":"2019-03-26T16:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/03\/26\/news-8680\/"},"modified":"2019-03-26T08:10:03","modified_gmt":"2019-03-26T16:10:03","slug":"news-8680","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/03\/26\/news-8680\/","title":{"rendered":"Plugin vulnerabilities exploited in traffic monetization schemes"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 26 Mar 2019 15:00:00 +0000<\/strong><\/p>\n

In their\u00a0Website Hack Trend Report<\/a>, web security company Sucuri noted that WordPress infections rose to 90 percent in 2018. One aspect of Content Management System (CMS) infections that is sometimes overlooked is that attackers not only go after the CMSes themselves\u2014WordPress, Drupal, etc.\u2014but also third-party plugins and themes.<\/p>\n

While plugins are useful in providing additional features for CMS-run websites, they also increase the surface of attack. Not all plugins are regularly maintained or secure, and some are even abandoned by their developers, leaving behind bugs that will never get fixed.<\/p>\n

In the past few months, we have noticed threat actors leveraging several high profile plugin vulnerabilities to redirect traffic toward various monetization schemes, depending on a visitor\u2019s geolocation and other properties. The WordPress GDPR<\/a> compliance plugin vulnerability, and the more recent Easy WP STMP<\/a> and Social Warfare<\/a> vulnerabilities are a few examples of opportunistic attacks quickly adopted in the wild.<\/p>\n

Redirection infrastructure<\/h3>\n

Hacked websites can be monetized in different ways, but one of the most popular is to hijack traffic and redirect visitors toward scams and exploits.<\/p>\n

We started looking at the latest injection campaign following the notes from Sucuri’s blog post about the Social Warfare zero-day stored XSS<\/a>. According to log data, the automated exploit attempts to load content from a Pastebin paste<\/a>, which can be seen below. The obfuscated code reveals one of the domains used by the threat actors:<\/p>\n

\"\"<\/a><\/p>\n

Pastebin code snippet used in automated attacks against vulnerable plugins<\/p>\n<\/div>\n

Our crawlers identified a redirection scheme via the same infrastructure related to these recent plugin hacks. Compromised websites are injected with\u00a0heavily obfuscated code that decodes to\u00a0setforconfigplease[.]com<\/strong><\/em> (the same domain as found in the Pastebin code).<\/p>\n

\"\"<\/a><\/p>\n

Obfuscated code injected into hacked site<\/p>\n<\/div>\n

The first layer of redirection goes to domains hosted on\u00a0176.123.9[.]52<\/em><\/strong> and 176.123.9[.]53<\/em><\/strong> that will perform the second redirect via a .tk domain. Denis from Sucuri has tracked the evolution and rotation of these domains during the past few days.<\/p>\n

\n

New domain used in the "Easy WP SMTP" and "Social Warfare" (and some other) attacks \u2014 redrentalservice[.]com \u2014 registered 2019-03-21. Replacement for setforconfigplease[.]com (registered on March 4). https:\/\/t.co\/2RWVxhLrfb<\/a> and https:\/\/t.co\/lqse0IwR61<\/a><\/p>\n

— Denis (@unmaskparasites) March 22, 2019<\/a><\/p>\n<\/blockquote>\n