Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

The Forbes Hack and How Your Visitors are Targets Too

This entry was posted in Research, WordPress Security on February 11, 2015 by Mark Maunder   26 Replies

I spent a few days last week in Washington DC chatting to new and old friends in aerospace, many well known cybersecurity vendors and folks in the intelligence community. The level of sophistication of attacks we’re seeing is rising at an incredible rate. It’s tough to watch as an industry insider because I don’t think it bodes well for an open Internet. But that’s a different conversation.

What I want to share with you today is a report released this morning on the Forbes.com attack. This was a “watering hole” attack where Forbes.com was hacked so that the attackers could install malware which then targeted visitors to the site – specifically the real target of the attack which was employees at defense contractors and banks. The hope was that the malware on the site would install itself on site visitor workstations, giving the attackers access to bank and defense contractor internal networks.

There are two sources you can get details from and they have very different tones which I’ll clarify in a moment. Forbes themselves covered the attack on their site yesterday evening.

Invincea who were involved in detecting the zero day exploits used in the attacks have also released a report (along with iSight Partners) within the last few hours which you can find here.

First a note on the differences in the reports and then what this attack means for WordPress publishers. [Edit: To clarify – WordPress as far as I’m aware was not targeted in this attack. Watering hole attacks are relevant to WordPress publishers which is why the comparison.]

Invincea and iSight partners were the two research firms involved in detecting and attributing the attack to the Chinese (aka APT or Advanced Persistent Threat if you’re outside the industry). They describe the attack as using multiple zero day vulnerabilities which is very impressive. It’s rare that zero day exploits are used in an attack because they’re the kind of weapon you can only use once. As evidenced by this attack, once the zero days were used they were patched by Adobe and Microsoft within days. So among hackers, zero days are very precious commodities and are only used when a hacker is very motivated to attack a target.

In this case multiple chained zero days were used which is extremely rare, or as Invincea describes it, a Unicorn in cybersecurity.

Invincea and iSight have attributed the attack  to a Chinese espionage group called Codoso. Attribution in our industry is very controversial and there is a debate raging right now among researchers, vendors and the intelligence community about whether it’s even possible to reliably attribute attacks this way. The Forbes article casts doubt on attribution in the first paragraph. Vendors love attributing attacks and their sources and methods are usually kept secret so it becomes difficult to refute the attribution.

Forbes were the victim in this case and they’re trying to downplay the attack without being inaccurate. They are casting doubt on the attribution and describe the attack as: “Anyone who was running on any Windows OS above XP and using browsers other than Internet Explorer should have been safe, though targets using other systems could have been affected.”

Invincea on the other hand describe the attack as targeting defense and financial services firms using multiple chained zero day vulnerabilities.

If Forbes is to be believed, we don’t know who did the attack and if you were running new software you were safe. If Invincea are to be believed, Chinese spy’s just targeted our banks and military by hacking on of the busiest websites in the world and using previously unknown exploits. I think you see the tension within the infosec community that I mentioned.

So how does this affect WordPress publishers?

You’ve probably connected the dots already. WordPress site owners are publishers just like Forbes and we all use one of the most popular publishing platforms in the World. Many of our readers work at banks and for defense contractors and other interesting targets. We are the prime target for watering hole attacks like this. All an attacker needs is a wide-spread zero day vulnerability in a plugin which would allow them to exploit your site and install malware which would infect your visitors. The attacker can then go after their true target which is the internal networks of your site visitors.

Take a moment to think about who visits your site and how much protecting their network matters to you as a WordPress site owner. This is why it’s critically important that you keep your WordPress site secure. As a vendor, we recommend installing Wordfence Premium as your first step, doing a full scan and enabling two factor authentication and regular scans to verify your site is clean. As someone who cares about the WordPress community and their site visitors, I would recommend taking a deep interest in your site security as a general approach to helping protect your site visitors and your investment.

I’d like to hear more about who visits your site and whether you think they may be a target of these kinds of attacks, so please feel free to post in the comments. Note that I have comment approval enabled but I usually have most comments approved within an hour of posting at the latest.

Please share this to help create an awareness of our responsibilities as publishers and that it’s not just ourselves we’re protecting when keeping our WordPress sites secure.

~Mark Maunder @mmaunder

Did you enjoy this post? Share it!

26 Comments on "The Forbes Hack and How Your Visitors are Targets Too"

Nicholas February 11, 2015 at 1:23 pm

It seems like these attacks are a global attempt to force countries to "close" the internet to "big brother" all for an alleged safer web experience.

Jerry February 11, 2015 at 1:34 pm

It's to protect the children, right?

Ted Sudol February 11, 2015 at 1:36 pm

The security of my visitors is very important to me because I don't know about others but if a site is suspect I tend not to ask questions but just I avoid it. So I would rather have visitors secure than have to apologize and hope my audience stays with me. Hacked websites can also be very time consuming to repair. So I recently installed the free version of Wordfence and like the way it both actively protects my site and also notifies me of problems.

One of the big access points for hackers my hosting company identified was out of date plugins. When I took a look at the details for all of the plugins on all of my sites I was amazed at how many had not had any development or been updated in 1, 2, 3 or even more years. I had assumed that just because I had updated all the plugins I was OK.

Recently Wordfence has been notifying me that there are differences between my plugin files and the ones in the Wordpress repository. How can this be - what happened it is the same plugin, same version that Word Fence said was OK yesterday and today it says there are differences. I have not updated the plugin and Wordpress has not said there is now an updated version of the plugin. So how does Word Fence identify today as suspect something that yesterday it passed?

What do you think about the safety of so called Multisite plugins and services that say they will allow you to manage all of your Wordpress sites from one panel. The fact that it would make my life a lot easier appeals to me but I am also a little hesitant because it seems to me that if hackers can find an opening through that they have the key to all of your sites.

Also can you more clearly explain the advantages of the premium version of Wordfence.

Thanks in advance for your help.

All the best,
Ted Sudol

mark February 11, 2015 at 1:49 pm

Hi Ted. Wordfence Premium lets you enable two factor authentication - or the ability to sign in using your cellphone. It also includes country blocking and lets you schedule your scans at a time that suits you rather than having them auto-scheduled by us at a time of low server load. But most importantly, it gives you access to our awesome Premium Support team and ticketing system who will help you with any Wordfence setup and usage issues you encounter. Hope that helps - I'd like to go into more detail but I'm a little rushed, so please ping Tim and Brian on our forums or open a ticket if you're a premium customer and if we can help with anything else. Thanks for your comments!! ~mmaunder

Jack Quinn February 12, 2015 at 4:50 am

one thing i do is look at the differences between versions if wordfence flags a plugin as having a different version. in many cases, the difference is very slight, like in the readme file, a notation that the plugin now is for wp 4.01 instead of wp 4.0. That said if the differrence was in the executable or the php then I'd be more alarmed. if the difference is in a documentation file, ehh, not so much. You gotta compare the versions to see what the difference is.

Debbie February 11, 2015 at 1:46 pm

Thank you Mark - as always for this sane and informative article!
We are a small hosting company and in addition to hosting websites and other services we host email on our own servers. We pride ourselves in our zero spam tolerance both incoming and outgoing. In addition to subscribed blocklists we mange our own is some tiered and specialized ways.

I have seen similar trends in spam attacks as I have in the Wordfence logs on where the bad players are coming from. Affordable, so called "cloud" and vps hosting has opened a Pandora's box of opportunity for bad behavior.

Over the past year there as been an increase in US hosts selling services that are used as relays for countries and locations we have already had blocks on.

The ability to direct a webvistor to a page on a WordPress site where they can request an allow (if you build it that way) is a wonderful feature that allows a site manager to be much more aggressive in blocking bad behavior.
In WordPress if I have a customer that only offers services locally I block all countries outside of the US.
I have had customers hire "SEO experts" who have complained about the number of hits the page gets that explains the visit was blocked. But when I explain why and what was happening to the CUSTOMER they have never once had me set an allow for country I had restricted.

Thank you for your great work on Wordfence!

mark February 11, 2015 at 1:52 pm

Thanks for the kind feedback Debbie. Glad to hear Wordfence is working for you.

Regards,

Mark.

Nicky Nelson February 11, 2015 at 2:13 pm

This has Israel written all over it if you ask me, just like every other false flag attack. "By Way of Deception, Thou Shalt Do War." - Mossad
James Traficant passed away after a quizzical accident on his family farm. He was one of the last honest and freedom loving Americans to serve in Congress. Jim was one of the few to speak out about Israel's stranglehold on American politics. The world lost a great man, and we carry on in his name. Wake up and smell the take over America!
[Edited by moderator to remove link to video]

Dave Austin February 11, 2015 at 2:17 pm

Hi Mark
Thanks for an informative post. I currently use the free version of Wordfence on around 18 sites that I host and manage and love it. But like Ted above I am seeing more report's about differences in code which was good yesterday but not today and no plugin updates available. A post on this would be helpful to understanding
Cheers
Dave

mark February 11, 2015 at 3:37 pm

Thanks Dave, noted and I'll investigate this.

Doug February 11, 2015 at 4:34 pm

+1

DaveK February 11, 2015 at 2:18 pm

As soon as I install WordFence, I almost immediately get reports of attacks on my admin page from China, France, Russia and else where. While I manually block these servers, it makes me realize that EVERY website on the web is being targeted. So the only answer seems to be to go Pro with WordFence. But what else should I do?

mark February 11, 2015 at 3:37 pm

Thanks Dave - that's such a great salespitch I worry someone's going to accuse us of posting it ourselves. ;-) If you only do one thing, make darn sure that everything from the OS to web server to DB including CPanel, WordPress core and all plugins and themes are kept up to date.

Jennifer Hoffman February 11, 2015 at 4:31 pm

Thanks for another great commentary Mark. As the owner of multiple WP-based websites, which receive heavy traffic every day, and I count on Word Fence to keep them secure. While its frustrating to find over 600 emails from WordFence in my inbox, advising me of blocked attacks, I appreciate the security. In light of the overt attempts to 'close' the internet (vs open internet), I think these attacks are due to the vulnerabilities that are built (read allowed) in the internet, the ones that allow data dumps and spying, that are causing the problem. I can speak about this without speculation and have the inside knowledge, authority, and experience to know that these attacks are rarely accidental or deliberately malicious. One should always keep in mind the desired ends and see these as the means, and those of us who want the internet to remain the open, accessible platform that it is must speak out or we will not have an internet in the future. There's always enough censure on the internet, we don't need to further tighten that noose.

John Bondon February 12, 2015 at 1:59 pm

Can you elaborate a bit more on what you mean? Are you saying you think the backdoors that the NSA uses is the cause of all of this hacking?? I personally disagree with you that these incidents are not intentionally malicious. I'm curious what inside knowledge you have to the contrary. In my experience, these hacks may start as probes simply looking for victims vulnerable to a certain type of attack. But once those potential victims are identified, there is nothing NOT malicious about it. Most internet users have no clue just how vulnerable they are. Most wordpress website owners have no idea just how easy it is to break in.... or even WHY someone would want to. Someone with a website like yourself might think "why would anyone want to hack my website? I don't store credit cards or information anyone would care to steal." That type of mindset is completely wrong. Yes your website DOES have great value to a hacker, even without such data to steal. You have to think of the bigger picture... the bigger payoff and motivations of the cyber thief.

And this is at a time when most cyber crime is still relatively unsophisticated. Most hackers are not that good. Most are simply using scripts and tools bought from someone more skilled. Imagine what happens once the thieves become better at their craft and more sophisticated themselves.

We as website owners and online consumers need to up OUR game. Don't look to the government to save you or to help you. We need to demand better protections of our data by private enterprise. And we need to do our part to protect our own computer systems and internet connected devices, as well as the systems of our customers.

Tell me which part of what I wrote do you disagree with, and why?

mark February 12, 2015 at 2:45 pm

Hey guys. Just wanted to quickly weigh in here.

I would completely disregard anything you read on the Net or in the press that claims knowledge of what the intelligence community is up to. Unless you have clearance, you don't have a clue. If you do have clearance, you won't even share the fact that you have inside knowledge or work for the IC.

Regarding a more closed Internet. It's very tempting to point the finger at "the government" when you read a comment like mine about the Net becoming more closed. What's happening on the ground is that everyone that works in information security can see this coming - whether you're in government, private sector or research. If hacks are increasing because systems are open, to be more secure we have to make systems more closed. Who is to blame for systems becoming more closed? Probably the attackers themselves - not any government agency or private sector actors.

Regarding where attacks come from: The vast majority are either unsophisticated hackers trying to mass own machines or more sophisticated groups building botnets by mass exploitation. It's extremely rare to see a publisher get targeted by an APT attack as in Forbes' case. The folks that are seeing the sophisticated attacks are the defense contractors and banks - I just sat through an excellent presentation by BEA systems who were kind enough to share data on the kinds of attacks they're seeing and these attacks are vastly more sophisticated than most sites (and WP sites in particular) experience.

@mmaunder

Rob Titherley February 11, 2015 at 4:47 pm

After two years using Wordpress, which I only started using because I liked the templates and got lazy, I have gone back to Dreamweaver. The last straw was when I built a 3D printing blog for my son which had 200 Chinese spams in it within days selling fake Raybans and all that sort of trash. You can block them till you're blue in the face but they are obviously using hacked proxies so it's a waste of time fighting automatons. Every single Wordpress site I have built has been hacked at least once and used to relay spam email and each time I have wasted hours deleting files and editing the first line of the originals. The standard of the plugins just isn't good enough if they have vulnerabilities and the next thing will be plugins intentionally written with vulnerabilities - and so on. You can imagine where that would take us - core code hacked from the inside that you could never hope to fix and your FTP accounts compromised. Wordpress is a time bomb - a good idea but ultimately a flawed concept in a world of ever more sophisticated intelligent thieves and scoundrels driven by organised crime. I've gone back to building my own php/MySql code - it's worth the extra effort and I can recommend an excellent book by Interspire for anyone willing to endure 3 months purgatory to get you first application working.

RD February 12, 2015 at 5:56 am

Hi Rob

I do both - some sites I write on my own and some are done through Wordpress. Neither one is perfect and I've seen just as many poorly written PHP sites as I have poorly patched Wordpress sites. I would counter that 3 months is not enough to learn how to securely write a PHP site while at least Wordpress has security plugins like Wordfence (which I use on every Wordpress site I host) to protect all those people who don't have the time or inclination to either learn the security elements of a safe website or are unwilling to hire proper security advise for their sites - be it Wordpress or PHP self written sites. And don't even get me started on website designers who can't give a whoot about any form of security or updating.
If everyone of your Wordpress sites have been hacked there is work to be done in security. Permissions is my largest bugbear and I'd love to see Wordfence scan every file for proper permissions. (I'd love to see Wordpress itself put up EASY to understand information on permissions and their relationship to security and TAKE DOWN every "helpful" comment that fix problems by setting permissions to 777.)
Good luck with the websites but keep in mind security for your PHP websites as well. Although a bit old (3 years) I found php|architect's Guide to PHP Security good.

Yours truly
RD

Ejvind February 11, 2015 at 11:35 pm

This is some scary stuff, and it seems that the consequences may indeed be a more closed internet :-( I really enjoy the idea of an open sharing community, but when "someone" is determined to destroy that openness through exploiting my good nature, I become upset. Have you ever considered an acive counter- measure towards those that are actively tampering with wordpress? If nothing is done, I am afraid that Wordpress will die a sudden death.

Tom Singer February 12, 2015 at 12:11 am

Are you aware of the actual system that was compromised for this attack? None of the details I have read imply it was Wordpress and I would suspect it was more likely related to one of the many third party scripts on the site rather than the site itself.

mark February 12, 2015 at 1:49 am

Hi Tom, thanks for posting. WP was not targeted in this attack as far as I'm aware. It's the fact that this is a watering-hole attack that makes it relevant to WP publishers - the message I'm trying to convey is that as publishers we're not just protecting our own sites and our investment but our site visitors too. I've added an edit to clarify.

Thanks again for posting.

Regards,

Mark.

Jack Quinn February 12, 2015 at 4:45 am

The most useful plugin tool that I have out of the approximately 20 active plugins on my wordpress online magazine is Wordfence and I went premium the first day as whatever the price (maybe $39 - not sure i remember) was well worth it. I cannot compare/contrast the free version. My site was an existing 12 year old website hosted on Lotus Domino which was like a Mack truck...bulletproof reliability, no down time and I as a publisher never had to think about security and hack attacks. However, I rewrote the site last summer as Wordpress based and relaunched in in October 2014 and by Dec was under such constant attack by hosting company (incidentally was the same firm that had hosted the domino site over the years) said that I had at times 64 concurrent requests per second from these bots requesting theme files that were not even installed on my site which overloaded the virtual server memory. Initially, becuase it was easier than fixing the root cause, I responded by adding more memory and more bandwidth to my virtual server. But the bots just expanded to whatever capabilities I added. Finally in desperation I asked my host, is there anything I can do to be more proactive. My hosting partner (eApps.com) recommended Wordfence and I immediately (on a Saturday) downloaded and installed the premium plugin. By the middle of the following week, my inbox was flooded with blocking notices. But by the end of December I had permanently blocked approximately 200 ip addresses, I've been able to send abuse notices to approximately 15 hosting providers with varying degrees of responsiveness, I've since loosened up on my advanced setup and am only throttling (not blocking) any visitors or bots requesting more than say 2 documents per second. I now rarely get security notices but I do check several times a week as I am seeing attempts to login my admin panel.
Also i want to say a shout out for the WordFence Falcon Engine server caching which is phenomenal. Another great reason for Premium. My site homepage is dynamic with 10 categories of theater reviews with photos all loading and autoscrolling. The site is loading very quickly and my virtual server only has 1.5 gb of RAM and a 40% cosharing of CPU resources. I've been able to tweak the server settings to deliver the user experience I want, by eliminating the wasteful bots and attacks which were sucking my bandwith and server resources.
How could someone not want the premium version - it's a no-brainer.

Teresa February 12, 2015 at 9:27 am

The proximate weakness at Forbes was supposedly the "quote of the day" page.

forbes.com/fdc/welcome_mjx.shtml

This page is not HTTPS://www or HTTPS://

I don't know much about site security. My question is if SSL would have prevented the attack?

John Bondon February 12, 2015 at 2:09 pm

Teresa,

No. SSL (https in the address) means the communication between you and the server is encrypted (or so we hope! -- there are actually vulnerabilities in SSL too). But whether or not your website uses SSL (has an httpS:// address) does nothing to protect you from a web based attack.

Brad February 13, 2015 at 10:47 am

Mark,

I only manage a couple of sites, but both have your premium security software in place. Since installing 5 months ago, one site alone has seen over 600 login attempts blocked. The ability to lock out login attempts via username, IP addresses or even an entire country from accessing the WP sites allows me to sleep better at night knowing Wordfence is standing guard. Your regular updates and your newsletters keep readers abreast of these types of sophisticated attacks. I have no doubt that I chose the right security plugin!

I'm actually amazed that the majority of malicious login attempts simply try to login in the sites using the default "admin" tells me that there must be a large majority of WP sites that are wide open to intruder login and therefore vulnerability to their data and their readers. Thanks for all that you, your staff and your software do for us.

Regards,
Brad

Bob Bembridge April 1, 2015 at 6:17 am

Wordfence is a site saver. I run a small web site for a local camera club and only have about 200 visitors a month. I use Wordfence free. Suddenly I started receiving Wordfence notifications of "log on" failures "Admin" from all over the world.

For a while I would manually block them but in a while realized that was a waste of time. I wasn't using "admin" so I went further and changed the log on link to something I have a problem remembering. I stopped getting login failure notifications.

Without Wordfence the site would be totally unprotected and one of those sites easily overwhelmed and hacked to help spread the bot take over of many unsuspecting owners computers.

Thank you Wordfence from one of those dangerous web site owners that don't really have a clue. There are a lot of us.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates