Episode 74: Staying Safe When Hackers Use Sophisticated Attacks

Stories this week about targeted attacks using 0days in iPhone and iPad devices and a sophisticated phone scam targeting a security professional that ended with a $9,800 wire transfer underscore what we all know: malicious attacks are becoming increasingly sophisticated. We give you some ideas how to stay safe.

We also cover a recent plugin vulnerability in the MapPress Maps plugin affecting over 80,000 WordPress sites, Google’s report that they’re seeing more than 18 million daily malware and phishing emails. We also cover the recent funding that Frontity received, and look at what this might mean for faster WordPress sites.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:34 Critical vulnerabilities patched in MapPress Maps plugin
2:00 iOS zero-days allegedly being actively used against high-profile targets
3:41 Cautionary tale of sophisticated phone scams and bank fraud
7:39 Google saw more than 18 million daily malware and phishing emails related to COVID-19 last week
9:27 Nearly 25,000 email addresses and passwords allegedly from NIH, WHO, Gates Foundation and others are dumped online
11:38 Frontity Raises €1M with Automattic and K Fund

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 74 Transcript

Hello my WordPress friends, welcome to Think Like a Hacker, episode 74. This is the podcast about WordPress, security and innovation. It’s nearing the end of April. How are you holding up? We’re doing fine over here, but looking forward to getting back to whatever the new normal is supposed to look like. We have some news for you today, both in the security world as well as the WordPress news, so let’s get started.

First story was published on April 23rd on the Wordfence blog. This was related to critical vulnerabilities that were patched in the MapPress Maps plugin. This was discovered by one of our security researchers, Ram Gall. He found these two vulnerabilities in this plugin that affected over 80,000 WordPress installations. Both of them were authenticated, meaning they could only be exploited by someone who had an account within WordPress. But of course this is problematic if you have your site set up to allow subscribers because even a subscriber level user is authenticated.

So we reached out to that plugin’s author and they released a patch that same day. We’ll have a link in the show notes so you can take a look at what these vulnerabilities actually entail. What you need to know now is if you’re using MapPress Maps for WordPress on any of your sites, you need to update immediately. Wordfence free customers will not receive those rules until May. Obviously premium customers were protected as soon as we found these vulnerabilities. The free version has a less severe vulnerability than the pro version. The pro version has an extremely critical vulnerability. Obviously links in the show notes if you want to look deeper.

Our next story was reported by Bleeping Computer on April 22nd as well as numerous other sources including The Verge. They are reporting that a new iOS zero-day has been discovered that is allegedly being actively used against high profile targets. These two zero-day vulnerabilities affecting iPhone and iPad devices were found by cybersecurity startup ZecOps after the discovery of a series of ongoing remote attacks targeting iOS users since January of 2018.

Now this flaw has existed for 10 years and had not been previously disclosed to Apple. Obviously, that makes it extremely valuable to a variety of bad actors and ZecOps says that they believe with high confidence that these vulnerabilities are widely exploited in the wild in targeted attacks by advanced threat operators. Now, ZecOps says that they have evidence of these exploits being used, but they say they’re not comfortable sharing that, which is leading some security researchers to question the validity of the claim that they are widely used in the wild.

That includes Jann Horn, a researcher for Google’s Project Zero cybersecurity project. What does this mean for you? If you are using the native mail app in iOS, don’t click on links in your phone’s mail. You might want to switch to Gmail or Outlook or another mail application for your iOS device until we’re sure that these zero-day vulnerabilities are patched.

Our next story comes from Krebs on Security published April 23rd and it’s a cautionary tale for those of us in security that no one is immune from being taken by a scam. This is a tale of a phone scam that escalated into a $9,800 wire transfer. It looks like it started with a credit card skimmer likely at a gas pump where this victim had used his debit card to buy gas.

Our victim, who received the name Mitch as a pseudonym, lived in California and he was a veteran of the tech industry. He had worked in security for several years at a major cloud-based service and he knew security protocols, but he received a call from what he thought was his financial institution warning him that fraud had been detected on his account and that the caller ID of that incoming call displayed the same phone number that was printed on the back of his debit card. Sounds legit, right?

Just to be sure he logged into his bank account while he had that person on the line and he saw a couple of transactions that he knew were fraudulent, which lended credence to the fact that he was talking to his financial institution, which he wasn’t. Now these attackers had gotten his debit card number and they had gotten his pin number and they could pull money out of his account at ATMs and go shopping at big box stores. They wanted obviously more than that. So they needed his help and they needed to escalate and get more complex in the attack, which they did.

And the fraud investigator said that the $9,800 that was wire transferred out had been sent to an account at an online only bank. And that bank was also in Mitch’s name. He didn’t open that account but this may have helped the fraudsters sidestep fraud flags for the unauthorized wire transfer. So what is our takeaway from this? If your bank calls you, hang up and call them back, initiate that conversation, watch your bank account fervently. Watch your credit card statements regularly. Look at your balances all the time and ensure that no fraud activity is happening. And if your bank is calling you, distrust that call.

Now, this is an important cautionary tale. You’re listening to a security podcast. I am talking in a security podcast. We are security professionals and we understand what fraudsters do and we can look for telltale signs of fraud when it’s happening. So was Mitch. So it just goes to show that to be extraordinarily distrustful of the things that are happening and question everything is incredibly important in security.

It also reminds us, and I say this a lot on the podcast, that as a security aware individual, think about your friends and family who are less up on security and what can you do in order to help them prevent these types of attacks from showing up in their life? How do you heighten their security awareness so that when your mom or your dad or your grandparents receive a call from a “bank” that they know to hang up and to call the bank themselves and to keep an eye on what’s happening with their financial institutions. When things get tough, scammers get more brazen and more sophisticated, and I expect that we will hear more tales like what Mitch went through. So protect yourself, protect your friends.

Our next story underscores those sentiments. This was published in The Verge on April 16th. Google saw more than 18 million daily malware and phishing emails related to COVID-19 last week alone. With these interesting times, scammers and hackers are using fears associated with COVID-19 in order to be relevant and to try to create a sense of urgency to prompt users to respond to these types of scams.

Now Google says that its artificial intelligence powered protections blocks more than 99.9% of spam, phishing and malware from reaching users. They also say that it has been working with the World Health Organization on implementing DMARC or domain based message authentication reporting and conformance to make it more difficult for scammers to impersonate the World Health Organization domain and prevent legitimate emails from the WHO being caught in spam filters.

Now even with Google blocking 99.9% of the malware and phishing campaigns that are targeting email inboxes, that still leaves about 20,000 emails that possibly might have gotten through. Obviously the fail safe is to ensure that people are educated and can recognize a scam when it comes into an inbox. That means educating our friends and family, making sure that they’re aware that hackers are as busy as ever in light of what’s going on.

Our next story comes from the Washington Post. They are reporting that nearly 25,000 email addresses and passwords, allegedly from the NIH, the World Health Organization and the Gates Foundation, were dumped online. These were ending up on Twitter and Twitter was actively removing those. The BBC also reported this. They said that they found about 9,900 emails and passwords from the NIH, 6,800 from the CDC, 5,100 from the World Bank, 2,700 from the World Health Organization, 269 from the Gates Foundation and 21 from the Wuhan Institute of Virology.

The NIH told the BBC it was investigating the leak, but none of the other organizations had responded to the requests for comment. Now it’s hard to say what exactly is going on here. Obviously we’re just hearing about it from various sources. I did do some investigation and found another security researcher talking about their analysis of some of these dumps and the biggest takeaway was people are using incredibly simplistic passwords even at some of these large organizations that you might assume know better.

So let this be a warning to us all. Use extraordinarily complex passwords. Use your password managers and please use two-factor authentication wherever you can and keep yourself safe. Obviously with a big dump like this, something else is going on. It’s not just one email account that’s being accessed. There apparently looks to be databases of usernames and passwords are being found by these hackers, so there’s obviously security concerns beyond that, but just some of these simplistic … there were password123s in there. So definitely make sure that your passwords are safer than the ones that they’re using at the World Health Organization and tighten up your email with two-factor authentication.

Our final story back in the WordPress world, Frontity raises one million euros with Automattic and K fund. This article was published on WP Tavern on April 22nd. What is Frontity? Frontity is a free, open source framework for building WordPress themes based on React. Now these React-based themes will be competing against PHP based themes. And React is a JavaScript library for building a user interface. It’s maintained by Facebook and a community of individual developers and companies and it can be used as a base in the development of a single page or mobile applications. Gatsby which is often talked about in the WordPress world with headless WordPress is also based on React.

Now this is interesting to me. Automattic is covering 22% of this funding round for a theme based in React. Now, over the last year or so, everybody’s been talking about Gatsby. It’s kind of been this shiny new object in the WordPress world because of headless WordPress because everybody wants the fastest site they could possibly develop and these JavaScript frameworks deliver that.

Now you can build a site in Gatsby, you don’t need WordPress. The reason it’s interesting to WordPress is so many of us have websites that are built in WordPress and so to have a Gatsby incredibly fast site talking to the WordPress database and pulling in information that has been stored there for 10 years and showing it in a new way, that is very interesting.

One of the reasons I got involved in WordPress to begin with was all of the information for a site, all of the content was stored in a database and I could theme it in different ways just by changing the theme, changing the look and feel of the site, but the content would remain the same. So it would give my site and me the freedom to grow with the internet because obviously what looked good in 2002 on the internet is not what looks good now. And one of the problems with Gatsby is that it has somewhat of a steep learning curve. You have to learn an entirely new framework and then figure out how to connect that to WordPress.

I haven’t played with Frontity yet, but I plan on doing so. Because it’s 100% focused on WordPress and the WordPress API’s, it’s within my realm of expertise and it has the same benefits of using a React-based framework within WordPress. Seems like an easier step, so I will report back once I play with it on a few sites and hopefully don’t break anything. This sounds like an interesting next step for WordPress. If you’ve played with Frontity, let me know how it works for you.

And with that, that is the news for this third week of April. Now on the 28th next Tuesday we are going to have another Wordfence office hours. I will put a link to register for that in the show notes if you’d like to join us. We’re trying to do this every week now. We’ll change up the content starting in May, but we’ve been kind of repeating the same content because we have new people coming in all the time. We’d love to see you there.

If you have any news stories you’d like me to cover or you have any feedback, please hit me up at kathy@wordfence.com, follow me at Twitter @kathyzant, follow the @Wordfence account of course, and follow the Wordfence account on Instagram and YouTube as well. We have a few new videos that will help you sort of get up to speed on some of the features in Wordfence and Wordfence Central on our YouTube channel, so follow us and give us thumbs up and comments and you know, begging for all of those social proofs in social media land. Thank you again for listening to Think Like a Hacker and we will talk to you next week.