Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Episode 112: Wix Takes Aim at WordPress With New Ad Campaign

This entry was posted in Podcasts on April 9, 2021 by Ram Gall   0 Replies

A new Wix ad campaign targets WordPress but ends up being tone deaf in both content and strategy. New details emerge about the PHP compromise, but the full story remains unclear. Facebook user data from 2019 ends up on the dark web, and Have I Been Pwned adds a phone number check to help users determine if they’ve been affected. GitHub Actions are being used by cryptojackers, Gigaset Android phones have been infected with malware in a supply chain attack, and new phishing methods emerge using Telegram.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:16 Wix advertising campaign takes aim at WordPress
3:17 PHP site’s user database was hacked in recent attack
4:56 Facebook data breach from 2019 leaks over half a billion users’ data
7:06 Have I Been Pwned adds telephone look up feature
9:40 GitHub actions being actively abused to mine cryptocurrency
11:07 Gigaset Android phones infected by malware via hacked update server
15:15 Google Forms and Telegram abused to collect phished credentials
17:33 Defiant is hiring

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 112 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, Threat Analyst at Wordfence, and with me is Director of Marketing Kathy Zant. Let’s get started. What’s up first, Kathy?

Kathy:
Well, the first thing that I noticed this week… Well, we have a lot of news, but the first thing I noticed was this Wix campaign that’s taking a jab at WordPress with sending all of these WordPress influencers headphones, and then there’s this whole marketing campaign with number of videos. Did you take a look at any of these, Ram?

Ram:
I did. They were kind of awkward. I actually laughed a little bit at a few of the therapy ones, but they were pretty clearly written by someone who hasn’t actually used WordPress in the past few years, who maybe is just kind of looking at like old complaints about WordPress. If they were actually really covering what people don’t like about WordPress, they would have complained about Gutenberg.

Kathy:
You’ve got a point there. Yeah. I mean, these were…

Ram:
Don’t give them any ideas!

Kathy:
Well, they’ll have to go hire those actors all again. They were pretty cringy to me. The thing is, it got everybody in the WordPress community talking about Wix, but I don’t know that they were talking about Wix in a good way. With these ads being so cringy and with some influencers getting them and other people who I think are like maybe more influential not receiving them, these headphones at all, the marketing just seemed like incredibly tone deaf.

Ram:
Honestly, the ads they made would have been a lot more effective at the kind of people who were already going to use Wix instead of WordPress. And I really don’t see them working on anyone who’s actually using WordPress.

Kathy:
Right, yeah. I don’t see it at all either. I mean, if you’re using WordPress, you have a business case. There’s a reason you’re using WordPress. It would make more sense, I think, Wix, to go after like Squarespace or something like that. Go after somebody else who doesn’t want a completely flexible content management system. But honestly, if you want to target WordPress, create a better product, create something that’s open source, that has the community of support that WordPress has.

I mean, there’s a number of different factors that feed into WordPress’ success that this Wix campaign just doesn’t even address.

Ram:
I don’t want to give them too much… I don’t want to let them live rent-free in my head.

Kathy:
Yeah, exactly. I watched their security, because, security. So I watched the security complaint that they had about WordPress. I was really offended they didn’t even mention us.

Ram:
Yeah. I mean, how dare they?

Kathy:
How dare they? How dare they? You know what I mean? If we’re going to take some targets, at least hit the number one security plugin in the entire WordPress space, but they didn’t even mention us. They actually mentioned everything that we basically solve for WordPress and completely missed the boat.

Ram:
They don’t even know that WordPress does automatic updates now.

Kathy:
Yeah, exactly. If you guys are going to play along, you got to read the script, I guess.

Ram:
Exactly. In other news, there’s a call back. Do you remember the PHP getting hacked thing?

Kathy:
I remember it, yes.

Ram:
That was pretty recent. Well, it turns out that they no longer think that it was their Git server that got hacked. Their new hypothesis, and it does seem to be just a hypothesis, was that it was the master.php.net authentication system that got hacked. I guess the reason for that is that in their logs, they basically saw a very few failed authentication requests before they had a successful one, like a malicious authentication request, which kind of goes against what they were saying in their original statement that they don’t believe any accounts were compromised.

Anyways, the authentication system, I guess it was on a really old operating system and version of PHP, and they were storing all of their passwords with plain MD5 hashes, which are really crackable.

Kathy:
They originally came out and said there wasn’t any account that was compromised. But we were kind of left in the dark as to actually what had happened. Just this move over to GitHub was really suspicious and sort of made us wonder if there was a problem with that particular Git installation that they were using. But now it’s looking like there might have been compromised accounts, but we’re still in kind of wait and see mode.

Ram:
Yeah, yeah. They’re still doing forensics on it. Again, this is basically their new hypothesis. They still don’t have a solid proof of what happened, or how it happened, I should say.

Kathy:
I’m sure we’ll learn more in time. Time tells all things. Just like with this Facebook data breach we just learned about, that’s been going on. That’s an older breach, isn’t it?

Ram:
Yeah. The one with… Was it 533 million user’s data?

Kathy:
Just a couple.

Ram:
Yeah. I guess it happened in 2019, and the thing is like there had been several Facebook data breaches that year, but they didn’t tell anyone about this one partially because they weren’t yet required to and partially because they didn’t consider it a breach because it didn’t rely so much on a hack so much as a “insecure by default” feature. You know that thing where you could look someone up on Facebook by their phone number or add friends based on their phone number?

Kathy:
Right. I used to use that all the time.

Ram:
Yeah. Well, it turns out that you could basically just feed their API just arbitrary phone numbers. And if you try enough phone numbers, you’re going to get people’s personal information, including stuff that would maybe only be shown to their actual friends. So I guess they just sort of brute requested information based on phone numbers. I guess it was kind of a scrape, but it shouldn’t have let you do that in the first place.

Kathy:
Right. This article by Lily Newman, Lily Hay Newman on WIRED, she noted basically in the subhead that the company’s explanations about what had happened here have been confusing and inconsistent, but they have some answers about what had happened, which you illustrated. But just this lack of forthrightness on Facebook’s part to not really say, “Okay, here’s what happened. Here’s how you may or may not have been impacted,” and really being transparent about what happened with your data that you have shared with Facebook, that’s the thing that concerns me the most, but it looks like…

Ram:
It’s pretty much on key for them. That’s just how they are.

Kathy:
True. True. But it looks like Troy Hunt is kind of stepping up to the plate with Have I Been Pwned and he’s going to be helping people out. Did you read that article?

Ram:
Yes, I did. Now, for those of you who are new listeners or haven’t heard us cover it, Have I Been Pwned is a platform by a security researcher in Australia, Troy Hunt, who basically collects information from data breaches and has come up with a secure way for you to check if your password has been compromised in a data breach without actually sending him your password. But he’s also done the same thing for phone numbers that have been in this Facebook data breach as well.

You can look up to see if your phone number was compromised in this latest, well, scrape breach, whatever you want to call it, unauthorized release of your personal info.

Kathy:
We’ll have a link in the show notes where you can go to Have I Been Pwned and you can go look up your phone number and see if you are affected. One thing that I saw someone just in comments on Twitter saying is that they are concerned about social engineering attempts that might target individuals because of all of this very personal information that has ended up on the dark web.

That if you are being targeted by someone and they have a number of personally identifiable pieces of information about you that makes it seem like they really are an authentic requester of more information or passwords or credentials of some sort from you to be extraordinarily suspicious right now because of all of this being dumped on the dark web.

Ram:
That’s always been kind of the threat of social media as long as there’s been anything resembling social media. Like even those old quizzes of like, “Hey, what street did you grow up on?” It’s like, hey, a lot of those questions are my password reset questions, which is another reason why you should not use password reset questions because they’re not actually two factor or multifactor authentication. They’re just something you know and something you are likely to forget, but someone else can look up really easily.

Kathy:
Exactly. What do you think about with phone numbers being such a big part of this? What do you think about using your SMS phone number, your mobile phone number, for a two-factor authentication now, Ram?

Ram:
Ooh, okay. Mark has this thing he always says about how social security numbers are basically the password that you can never change. But in a way, phone numbers are kind of becoming the username you can never change. Like yes, you can change your phone number, but so many parts of your digital identity are tied directly to your phone number. And even if you can use time-based one-time password or harbor-based authentication as a second factor, initially when you set stuff up, so many things just require your phone number for initial verification.

It’s not even funny. It’s basically who you are. If you sign up for any alternative message service, Signal, Telegram, all of those use your phone number, it’s the username you can never change.

Kathy:
It is. It is. Our next story is about GitHub Actions being actively abused to mine cryptocurrency. What’s going on here?

Ram:
Well, it’s our obligatory cryptocurrency topic of the week. That’s because attackers keep on trying to make money and cryptocurrency is a super convenient way for them to use other people’s computers to do that. This kind of calls back to something we covered in an earlier podcast, but basically GitHub Actions are a way to automate. When you’re a developer and you want to deploy new code, you can set up these things to automatically send it to your servers via GitHub Actions.

Anyways, attackers figured out that they could copy someone else’s code base that had these setup and add a cryptominer and then send a request to get it merged back into their code. And the other person didn’t even have to accept. GitHub would just look at the request and go, “Oh, hey, I should run this cryptominer,” and now there’s cryptominers running on GitHub servers. Which is probably not great, and I am sure they are working very hard to put an end to it, but.

Kathy:
Yeah, sneaky. But I think we’re going to see more and more sneaky things with cryptocurrency if it keeps increasing in value. We saw this in 2017 when cryptocurrency increased in value. We had things like…

Ram:
It was huge. It’s like JavaScript miners all over the place and like malicious cryptominers added to WordPress repository plugins.

Kathy:
Exactly.

Ram:
And speaking of supply chain updates.

Kathy:
Yeah. What’s going on with Gigaset?

Ram:
Gigaset is a German manufacturer of Android phones. They used to be Siemens. They used to make a lot of the old dumb phones. I guess they were one of the biggest in the world, but now they’re still making Android phones. Only, I hadn’t actually heard of them before this news article, so I guess they’re only really big in Germany. Anyways, it looks like attackers compromised the phone update servers and sent malicious updates to a bunch of Gigaset Android phones.

And once those updates were downloaded and installed automatically, it appears the phones would automatically open web browsers to go to malicious websites or show ads for mobile games, which seems to be a fairly popular thing for sketchy malicious actors to monetize.

Kathy:
As a user, if I had a Gigaset phone, Android phone, which I don’t, because I don’t, would there have been any action that I would have taken to basically infect my phone, or is this something that just shows up and it starts acting erratically in this way?

Ram:
From everything I was able to find out, it looks like this was something that just happened. Yes, for actual system updates, you still usually have to manually apply them. But for a lot of the other software updates, it’ll just automatically update an app on your phone, including some of the core services. And it looks like that’s what they were targeting in this case.

Kathy:
Got you. And it looks like Malwarebytes is supporting Gigaset owners on their forums and has an actual signature where they’re detecting this particular malware variant that’s being pushed out through the supply chain.

Ram:
Which is good. Very good. But there’s nothing that users could have really done to stop this from happening apart from rooting their phones and shutting off that autoupdating app. And that’s kind of the opposite of the secure way to do things for most people, so I wouldn’t recommend it. This just goes to show that supply chain attacks aren’t just going to attack governments and corporations and infrastructure. Anyone can be a victim of a supply chain attack.

Kathy:
Right. And your digital life touches so many different software developers’ code, right? I mean, you have your phone, whether you are using Apple or Android, every app that’s on there is created by a software developer. There are certain controls in some places, but every piece of software could possibly be touched by a supply chain attack. If you’re updating it, you’re updating it from a server, and that server could be compromised.

Ram:
You should still update. You should still definitely update, because the chances a vulnerability being patched and an update fixing it are still a lot higher than a supply chain attacker putting malicious code in an update for the most part. There’s definitely emerging to be a pattern of some vendors do a lot more review on their code than others.

Kathy:
Sure, of course. But as an end user, it’s just important to… Whether you’re an end user of WordPress or a phone or apps on your computer, it’s good to always just be aware of what updates you apply. And if something happens that’s erratic and unexpected behavior after an update, to just be aware that supply chain attacks do occur and to investigate further if something funky is happening.

Ram:
We’re not saying be scared all the time because that’s super counterproductive. Just have it in your mind that this is a thing that can happen and don’t panic. Do some research on what it takes to fix it because it might be different every time. But in this case, it looks like what it takes to fix it is shut the phone off until they nip it at the source, and then wipe your phone and re-install everything.

Kathy:
Ew! That does not sound fun.

Ram:
I mean, I used to tinker with Android phones a lot, so that was kind of like a weekly occurrence for me back in the day.

Kathy:
Got you.

Ram:
That’s how I learned Linux.

Kathy:
Really?

Ram:
Yeah.

Kathy:
Wow! Fun. Well, yeah, makes sense. What do we have with phishing? Phishing’s kind of evolving and starting to target people through various other methods, not just email or SMS messages.

Ram:
They’re using Telegram bots to send phishing requests to people on Telegram and then collecting that info through Google Forms. Security textbooks keep on coming up with weird names for basically the same technique over another new medium. And it’s like vishing and spinning in some other awkward sounding name that sounds vaguely uncomfortable. And it’s like, it’s all just phishing, man.

Kathy:
Right, right. Yup, it is…

Ram:
They’ll probably come up with a name for this like Telegrimming.

Kathy:
Telegrimming?

Ram:
I don’t know.

Kathy:
Telegrimming, coined by Ram Gall.

Ram:
Did you get Telegrimmed?

Kathy:
They’re saying Group-IB analysts are the ones that have been investigating this, and they say that it’s only about 6% of the phishing that they’ve seen. But these lures that…

Ram:
That’s a lot.

Kathy:
I think it’s going to grow. I think it’s going to grow because people are much more aware of phishing via email or SMS, and people who are using tools like Google, Gmail basically filters out all of the phishing messages. I never see them. They’re going to have to get creative, just like all the cryptominers have to get creative. And they are using 260 different unique brands as these phishing lures, online tools to review documents, online shopping, streaming services, email clients, financial organizations. They are targeting mostly Microsoft, PayPal, Google, and Yahoo products.

Just be aware that if you’re on Telegram or if… I’ve been receiving Russian language Google Forms in my own personal email. I’m just like, “Oh yeah. Okay. I see this. I see you phishers!”

Ram:
And you know what? If someone sends you a phishing message on Telegram with some personal information that they probably collected from a Facebook data breach, I mean, I’m just saying that seems like a likely…

Kathy:
Yup, it does. It seems like a creative way to put things together in order to attack unwitting people on Telegram. Loads of fun. That’s what keeps us busy, keeping an eye on these busy folks. And we are so busy, we are hiring. We have a number of positions open. We’re looking for someone who’s a security operations person, a senior security operations.

Ram:
If you like AWS a lot and like security a lot, you should totally apply.

Kathy:
Yes, definitely. We’re also looking for PHP developers. We just opened up a new QA engineer role, and we are still looking for the ideal candidate to do research for website performance. All of those job descriptions will be linked in the show notes if any of them sound interesting. I know our benefits are going to sound interesting to you. So go take a look. And if you would like to join our team and have some fun with us, please apply. We’d love to talk to you, and we will talk to you all again next week.

Ram:
Yup. I will see you next week, and it’s always a pleasure.

Kathy:
Always a pleasure. Thanks a lot, Ram. We’ll talk to you later.

Ram:
Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

No Comments on "Episode 112: Wix Takes Aim at WordPress With New Ad Campaign"

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates