Yesterday, September 15, 2020, the Wordfence Live team covered The Hacker Motive: What Attackers Are Doing with Your Hacked Site. This companion blog post reviews the motives we discussed live during Wordfence Live and dives deeper into the minds of attackers.
You can watch the video of Wordfence Live below.
You can click on these timestamps to jump around in the video.
WordPress powers over 35% of the internet, making it one of the most popular content management systems. This means that WordPress is also one of the most targeted systems. Hackers understand that if they can become experts at compromising WordPress vulnerabilities, they can target and exploit more sites. With tens of thousands of plugins and themes available, the likelihood of discovering an easily exploitable intrusion vector installed on numerous sites adds to the attractiveness of WordPress as a target for malicious attacks.
WordPress hackers range from inexperienced script kiddies looking to get started to sophisticated crime syndicates. A script kiddie who has very little technical experience may simply go around defacing websites for fun and bragging rights, whereas a black hat hacking syndicate may spend more time evading malware scanners, developing complex command and control networks to maximize their impact, and monetizing compromised sites using SEO spam links and other methods. We will explore these motives a little further and provide you with some in-depth insight on why attackers target and compromise WordPress websites.
Our hope in doing so is that this information will empower you to protect your site, no matter how small or insignificant you might perceive your site to be. There is immense value in any WordPress site, and we hope to empower you to take steps to protect your site from these types of attacks.
Hacker Motive #1: Installing Backdoors
A backdoor is a piece of code inserted somewhere on a site, either in an already existing valid file like a theme’s 404 file or in a newly generated file, that provides an attacker with the ability to execute commands on the compromised site’s server. A backdoor can also establish a reverse shell to the server to execute commands and navigate the filesystem freely.
Attackers often install multiple backdoors to maintain persistence on a compromised site. This means that they have an easy way to revisit and regain access to compromised sites. Attackers use this access to make changes to a compromised site that benefits a monetization campaign, or re-infect sites in the event that infected content was incompletely cleaned or vulnerabilities were patched while the backdoor remained undetected.
Backdoors can also be installed by an attacker in hopes of gaining shell access to a server. Once an attacker gains shell access, they can potentially escalate their privileges by exploiting kernel-level vulnerabilities to gain root access to the server, which would allow them to take over other sites hosted on the same server.
In rarer cases, backdoors can also be added by developers during the development process of a WordPress site to act as a maintenance hook or killswitch in the event that a site owner stops paying for maintenance. If a developer you don’t know well has created something for your site, it is important to verify that they have not added any backdoors by performing a malware and vulnerability scan with a product like Wordfence once the development process has concluded.
A simple PHP webshell that an attacker could use to execute commands on a compromised WordPress website could look like:
<?php echo shell_exec($_GET['cmd']); ?>
Hacker Motive #2: Defacement
Defacement occurs when an attacker alters the content, or face, of a site to something else typically with no real immediate benefit to themselves. This can be something as simple as a tagline like “This site was hacked by r0gu3 1: L33t Hax0rs” with a green cyber text background. Most of the time attackers will deface sites to send a political message or simply to show off. There is typically no monetary gain from defacing a site, though it may be intended to embarrass the site’s owner.
There was a massive defacement campaign back in February of 2017 when a REST API vulnerability was discovered in versions 4.7 – 4.7.1 of WordPress that allowed unauthenticated attackers to update arbitrary posts. Hundreds of thousands of sites were affected by this vulnerability while attackers were competing in what appeared to have been a “Defacement Contest.”
A “Defacement Contest” is when attackers will attempt to deface as many sites as possible to claim victory over other attackers, purely for bragging rights.
The following is an example of a defacement we saw back in 2017 during the defacement contest exploiting the REST API vulnerability.
There have been some cases where “grey hat” hackers, who don’t have fully malicious intent but still perform illegal actions, have defaced sites purportedly to raise the awareness of site owners and alert them to the fact that they have vulnerable sites. Though less common, some attackers do make an effort to cause minimal damage beyond making the site owner aware that their site is vulnerable.
Hacker Motive #3: Spam/SEO Content Injection
Spam/SEO content injection occurs when an attacker injects HTML containing visible or hidden links to external websites in hopes of improving the search engine ranking for those sites. This is mostly done for monetary gain. Attackers can be paid on the black market or dark web to improve site’s SEO rankings or they can aim to improve the SEO of their own sites by injecting these spam links into victim’s sites.
Search engines will score a site’s popularity based on a number of ranking factors, including the number of inbound links that site has on the web as a whole. Inbound links tell the search engines that other site owners view the site as authoritative, and numerous backlinks from high authority sites can boost a site’s performance in the search engine result pages (SERPs). Attackers looking to perform well in the SERPs will try to place as many links on clean, high authority sites as possible in highly competitive and profitable niches. SEO spam is often used to promote sites that online ad providers are unwilling or unable to work with for legal reasons, such as pharmaceutical, online gambling, counterfeit goods, and illegal download sites.
Our Security Services Team (SST) often finds these links embedded at the bottom in posts, site footers, or other locations. Sometimes these can be hidden from view. Either way, SEO spam links can go undetected for quite some time if you are not actively examining your site’s pages or performing malware scanning on your WordPress site.
Example of a WordPress post containing a spam link.
Hacker Motive #4: Spam Page Creation
Similar to spam links, spam pages try to boost a site in a highly competitive and profitable niche higher in the search engine result pages. Unlike spam links, however, these attacks consist of multiple HTML pages containing spam content injected into a compromised site. It can also involve spam pages being created within WordPress itself.
Sites that have older domain names have higher authority ranking factors on search engines and are a more desirable target for attackers as the domain authority is also transferred to the spam pages created by the attacker.
The motive for attackers in this scenario is monetization. The spam pages they create often contain affiliate links in hopes that the attacker can drive sales to business and earn money from the affiliate income generated by the spam pages. These spam pages may also redirect site users to an alternative site selling products, again as a means to monetize the compromised site.
One common spam page creation hack that we often see is the “Japanese keyword” hack. This typically involves the creation of a folder with several HTML pages containing Japanese spam with affiliate links to sell merchandise. These pages are quite often indexed by Google and it can become so severe that search results for an infected site only show Japanese keyword pages in search results.
A PHP mailer script sends emails on a server through PHP code. Attackers will often use these scripts on a compromised site to exploit the mailing functions of the server and send out unwanted spam messages. Spam usually refers to unsolicited emails designed to grab your attention to try and get you to purchase a product. Spam can also consist of emails designed to trick you into executing actions like entering your password, which would be considered phishing, or to initiate other common scams.
Spam is as old as email itself, and it is still incredibly profitable even with today’s advanced email filters.
Why do attackers compromise WordPress sites to send spam?
It’s simple. You have a reputable and legitimate site, so sending spam emails from your site is an attractive target as it will take longer for an attacker to get detected and shut down. By using your site’s email service as the email source, an attacker is likely to bypass many email filters and their spam messages will get delivered successfully to more targets. Your site is also providing free mailing resources for the attacker to exploit and send their spam messages to earn money, and regardless of the traffic your site receives an attacker can use your hosting and mailing resources to their benefit. Again, the motive here is to earn money and go undetected for as long as possible.
Hosting providers have a strong incentive to shut down malicious mailers sending spam in order to protect their IP addresses from blacklisting. This means that the first indication of a PHP mailer infection is often that your site is shut down. Your site could also end up on a blacklist if you are not actively monitoring and scanning your site for malware and indicators of compromise.
Hacker Motive #6: Phishing Campaigns
Phishing involves using legitimate-appearing emails to try and trick a user into performing some sort of action, such as logging in to a fake online banking site. Compromised WordPress sites can be used as a source of phishing emails being sent out, and they can host phishing pages posing as a different site in order to collect sensitive information..
Our Security Services Team has seen many cases where WordPress sites were compromised and then a phishing kit was installed. A phishing kit is essentially a bundle of files used to create a webpage resembling a legitimate site such as Google Drive or an online banking site. In these cases, your site would act as a free host for malicious attackers hosting a phishing page to harvest user details.
Links to these webpages are then provided in phishing emails, which are emails that appear to come from a legitimate source. The attacker is hoping users will click on the link in the email and provide their credentials, or other sensitive information, on the phishing page.
The vast majority of the time, phishing campaigns are used to target user credentials for services such as banking sites or corporate assets in hopes of stealing data from those accounts to sell on the dark web. Again, phishing campaigns are predominantly built as a means to monetize, whether that be directly or indirectly by harvesting and selling user credentials.
Make sure to never supply credentials or sensitive information after clicking on a link in an email. If you receive what appears to be a notice from Wells Fargo or WordPress for example, make sure to visit that site directly to log in and view any notices. Closely examine the contents of any email, including the links within, and assume any link is malicious.
Hacker Motive #7: Malicious Redirects
Malicious redirects are used to redirect legitimate site users to an alternative site, typically in hopes of infecting the victim’s computer through a malicious download. Attackers like to install malicious software on user computers for a plethora of reasons, but it nearly always stems from one motive: monetization.
Attackers will also sometimes choose to redirect site users to a spam site in hopes of selling products to, again, try and monetize.
Malicious redirects are typically the result of a cross-site scripting vulnerability or an arbitrary option change vulnerability. The best way to protect your site from being exploited by these vulnerabilities would be to keep your themes, plugins, and core up to date and to run a web application firewall to help protect your site during interim periods when a vulnerability has been discovered but your site has not yet been updated to patch the vulnerable code. As a site visitor, the best way to protect yourself against malicious redirects is by using antivirus software on the devices you use to browse websites.
Hacker Motive #8: Command & Control Server With a Botnet
A botnet is a group of already compromised hosts, referred to as “zombies,” typically used by an attacker to try and infect additional hosts or execute a DDoS attack. The Command and Control, or C2, server is what attackers use to control the compromised hosts and direct them to perform many different actions. This is a motive where attackers don’t necessarily care about the visibility or traffic to your site, but rather they are looking to utilize your site’s hosting resources.
Back in December of 2018, we followed a massive brute-force campaign that used an attacker-created botnet to try and gain access to more WordPress sites. Essentially, an attacker created a command and control server used to control the many infected “zombie” WordPress sites and brute force other WordPress sites utilizing the resources of the already compromised WordPress sites.
The motive behind command and control botnets is also monetization through exploitation of vulnerabilities and to do so quickly at scale. These exploitations are often much more sophisticated and require the use of backdoors on affected systems to maintain persistence and to execute commands initiated by control servers. Once an attacker has control of a botnet, they can use any of the other monetization methods listed, or lease or sell it directly.
Hacker Motive #9: Cryptomining
Cryptomining infections occur when attackers infect sites with cryptominers, which are used to earn cryptocurrency, which is a digital form of currency utilizing a blockchain. Cryptocurrencies leverage blockchain technology to gain decentralization, transparency, and immutability. This is another scenario where the attacker’s motive doesn’t require your site to be visible or popular, but rather the site’s hosting resources (or visitors) are exploited to provide monetary gain to the attacker.
In order to protect yourself from hackers, you need to think like a hacker. By better understanding hacker motives for compromising vulnerable websites, you are better equipped to both diagnose affected systems in the event of a compromise as well as protect your WordPress site from becoming a victim of an attacker’s attempts at exploiting vulnerable code.
We hope that we have helped you better understand some of the common hacker motives and why they might target your WordPress site, so you can take the precautionary steps you need to stay safe, including protecting your site with Wordfence Premium.
If you have any friends or colleagues using WordPress, share this post with them. The safer we make the entire WordPress community by learning about hacker motives, the safer we all are from hackers looking to compromise WordPress sites.