Episode 77: WordPress 5.4.2 Released, Fake Ransomware Bitcoin Scams

This week, we look at the WP 5.4.2 release and a ransomware bitcoin scam targeting site owners with a “You’ve Been Hacked” email. We also look at an FBI warning about online banking app malware, the Verizon data breach report and what is says about WordPress, and how some white hat hackers are becoming millionaires responsibly disclosing vulnerabilities via HackerOne.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:20 WordPress 5.4.2 security release fixes multiple XSS vulnerabilities
1:47 High Severity Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites
3:05 Ransomware Bitcoin scam claiming sites are hacked
5:40 FBI warns of increased hacking risk if using mobile banking apps
8:08 $100 million in bounties paid by HackerOne to ethical hackers
10:00 Verizon data breach report: Web application attacks rise to account for almost half of all data breaches
11:17 Owners of DDoS for hire service get community service

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 77 Transcript

Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. It’s been a few weeks, a lot going on here at Wordfence, including a couple of very well attended live events on YouTube. More on that later. First let’s get into the news.

Our top story, WordPress 5.4.2 was released on Wednesday, June 10th. WordPress’ latest release contains 23 fixes and enhancements, including patches for six moderate-risk cross site scripting and other security bugs.

Wordfence Threat Analyst and Senior QA Engineer Ram Gall took a deeper look at the release. He found that most of the security patches were fixing vulnerabilities only exploitable in rather specialized cases. One of the cross-site scripting issues addressed by the update meant authenticated users with low privileges were able to add JavaScript to posts in the block editor. A separate issue gave authenticated users with upload permissions, the ability to add JavaScript to media files. And the release also had another bug, not cross site scripting, that resolved an open redirect issue in the wp_validate_redirect function. An issue where comments from password protected posts and pages could be displayed under certain conditions was also resolved. Special shout out and a thank you to the security researchers that found these vulnerabilities and responsibly disclosed them to the core team, and a shout out, of course, to the core team who got this release out.

Our next story is about high severity vulnerabilities that were patched in the Page Layer plugin. This affected over 200,000 WordPress sites. Chloe Chamberland posted this on the Wordfence official blog a few weeks ago. At the time of this writing, these vulnerabilities have already been patched. If you’re using Wordfence, the firewall is protecting against exploits. Both free and premium users are protected against this being exploited. One of the flaws allowed any authenticated user with subscriber level and above permissions, the ability to update and modify posts with malicious content amongst other things.

The second flaw allowed attackers to forge requests on behalf of a site administrator to modify the settings of the plugin, which could allow for a malicious JavaScript injection. Chloe demonstrated this both on the video that is included on the blog post, as well as during Wordfence Office Hours on June 9th. These are available on the Wordfence YouTube channel. I suggest checking those out. There are links in the show notes. Chloe really makes understanding these exploits easy and makes it easy for all of us to understand how to protect our sites better.

Our next story is about fake ransomware Bitcoin scams. Now I’m sure we’ve all received one of these at one point or another. We have been seeing these in email inboxes for quite a while. Last year, they were claiming to have video of people accessing rather questionable and embarrassing content, and were basically trying to get people to pay Bitcoin so that those videos would not be exposed. Of course, it was all a scam. Now they’re taking aim at site owners, claiming that your site is hacked, and the only way to save the personally identifiable information from your site’s database is to pay a ransom. So the scammer sends an email to the site owner with the subject “your site has been hacked” and the body of the email claims hackers have exploited vulnerabilities to gain access to the site’s database, and that they have “moved to the information to an offshore server.”

The email then threatens to ruin the site owners reputation by selling the site database or notifying customers that their information was compromised, and they are also threatening to de-index the site from the search engines by using black hat techniques. Now, this is all stuff that could happen, but much like the previous scams that we have seen in inboxes, it’s a scam and it’s not true, and you may be receiving these emails without your site actually hacked.

There is actually a Bitcoin abuse database on what you can look up what’s happening with an individual Bitcoin address. So you can enter in that Bitcoin address and it will report what the owner of that address has been up to. So if you put in the Bitcoin address of any of these email scams that people are getting, you’ll see that other people are receiving similar types of email scams trying to target sites, even some sites that don’t even have a database. So far, it appears that these campaigns have not been very successful. Yay. People are deleting them and they are not convincing site owners to pay the ransom. I’m sure these scammers will move on to another scam. We just need to be aware that anything that shows in your inbox may or may not be true, and if anyone ever threatens you online requesting Bitcoin or any other cryptocurrency, or even money, to really look deeper at those types of ransom types of requests, because they are most likely a scam.

Our next story comes from Bleeping Computer. They are reporting that the FBI is warning of increased hacking risks if you are using mobile banking apps on your smartphone. So the FBI is reporting that financial technology providers are estimating more than 75% of Americans are using mobile banking in some form, and the studies of U.S. financial data are indicating a 50% surge in mobile banking since the beginning of 2020, most likely due to all of the lockdowns and COVID-19. So the FBI is anticipating that these malicious actors will try to exploit new mobile banking customers who are unaware of how these banking apps work, and they may be using things such as fake banking apps and app based banking trojans. One thing that is important to remember is if you download an app, it is going to ask you to give it permissions that it will require an order to steal your information, to steal your usernames and passwords.

This malware does not go snooping around in Android or iOS, but it will actually stay dormant and only surface when you open a legitimate banking app and then it will ask for information. So then these Trojans will create a false version of the bank’s login page and overlays it on top of a legitimate app. Once you enter your credentials into that Trojan app, obviously you are exposing your credentials to an attacker.

So what can we do? Obviously be very careful when you’re on your smartphone. In the cryptocurrency space, security has been an issue for a very long time. And I’ve known people who are big into trading cryptocurrency, and they actually have a separate laptop, a separate machine, that they do all of their banking on, and that’s the only thing they do with that specific laptop. Maybe it’s time for us to start applying some of these more stringent controls for our other financial institutions and only have one browser, for an example, that you use for banking or transferring of funds or cryptocurrency trading, or stock trading, whatever you’re doing with your money. And just functionally isolate what you’re doing with your financial institutions in order to mitigate these types of risks.

Our next story is from PortSwigger, portswigger.net, and they are reporting on the Verizon 2020 data breach investigation report, and they are stating that web application attacks rise to account for almost half of all data breaches. So the actual number is 43% of breaches trace back to attacks against web applications. Of course, your WordPress website is a web application. This is double the results from last year, and the vast majority of those data breaches were motivated, of course, by the prospect of illicit financial gain. This is up from 71% in 2019.

Now, how does this affect WordPress? Attacks on content management systems that include WordPress, Joomla, Drupal, NoneCMS accounted for about 20% of all cyber attacks. And more than 28% of attacks targeted technology platforms supporting websites, such as ColdFusion and Apache Struts. Now, what can we take from this data? I mean, I don’t find this to be entirely too surprising.

Your website is the easiest thing for an attacker to attack. It is your front door on the internet for your business. It’s much easier for them to target your website than say your email systems or your accounting systems, though if they had that kind of information, they’d probably target that as well. Obviously with any front door, it’s good to have a lock and key and maybe a security camera or security system preventing these types of attacks on the front door, which is why Wordfence exists. Good to have a firewall on that front door and make sure those malicious attacks cannot occur, and a malware scanner to tell you if indeed it happened.

Our next story is also from Bleeping Computer and this was published on May 27th. They reported that a hundred million dollars in bounties had been paid via HackerOne to ethical hackers. This is a feel good story, hacking being profitable, white hat hacking being profitable. Always good to put some attention on that. They’re reporting that over 700,000 ethical hackers are using the bug bounty platform to get paid for security bugs in the products of over 1900 HackerOne customers. Of course, it’s impossible for us to know how many cyber breaches have been averted by responsible disclosure of security vulnerabilities, but with the average cost of breaches around $8 million, the savings to businesses who are running websites and other applications are probably in the tens of billions.

So HackerOne announced that eight of the hackers using their platform had become millionaires with 19-year-old Santiago Lopez being the first white hat hacker to earn over a million dollars by reporting security vulnerabilities responsibly to HackerOne. Kind of exciting.

Our final story from June 7th, from Krebs on Security is about a DDoS for hire service that got six months of community service. This company was called vDOS and the co-owners operated this for four years, basically taking money from customers and launching over 2 million DDoS or distributed denial of service attacks, knocking many internet users and websites offline. They’ve been sentenced to six months of community service by an Israeli court. Now it looks like vDOS was responsible for a majority of the DDoS attacks that had clogged up the internet between 2012 and 2016. Their subscription packages were sold on how many seconds the DDoS attack would last, and in four months between April and July 2016, vDOS was responsible for launching over 277 million seconds of attack time. It was kind of hard to get all of this data because after they would perform these attacks, they would wipe their servers. Pretty scary stuff.

Now, obviously, operating this type of service is illegal in numerous municipalities; purchasing these types of services is also illegal in numerous jurisdictions. A commenter on Krebs article stated that one of the defendants had actually turned his life around and is working for a legitimate company now. Let’s hope that both of them do and let’s hope more of the malicious attackers that exist out on the web find ways to maybe become ethical hackers, go look for vulnerabilities on applications and submit their bugs to places like HackerOne for bug bounties. There are ways that some of this cyber crime can get turned around.

The news for today. I would like to invite you to join us for Office Hours on YouTube. You can find us on the Wordfence channel every Tuesday at noon Eastern time on the East coast of the United States, and 9:00 AM Pacific time. Next week, we will be fixing a hack. So we’ve been doing some live hacking over the past couple of weeks with Chloe Chamberland, and now we’re going to take one of those hacked sites and show you how to use Wordfence to clean it up. So join us over there.

As always, thank you for listening to Think Like a Hacker. Might have a couple of weeks where I am off doing some interesting things in my life that I’ll talk about later, but we will come back with all of the news in WordPress security and innovation, just as soon as we can. Stay safe and we will talk to you soon.

Go ahead and give us a like or give us a review on Apple podcasts. Definitely join us over on YouTube. Follow me on Twitter and I’ll let you know what the whole Wordfence team is up to. Of course, if you’re not following Wordfence on your favorite social media, we are Wordfence everywhere, whether it is Instagram or Facebook or Twitter.