Vulnerable Plugin Exploited in Spam Redirect Campaign

Some weeks ago a critical unauthenticated privilege escalation vulnerability was discovered in old, unpatched versions of the wp-user-avatar plugin. It also allows for arbitrary file uploads, which is where we have been seeing the infections start. This plugin has over 400,000 installations so we have seen a sustained campaign to infect sites with this plugin installed. In this post I will review a common infection seen as a result of this vulnerability in the wp-user-avatar plugin. Continue reading Vulnerable Plugin Exploited in Spam Redirect Campaign at Sucuri Blog.

Magecart Swiper Uses Unorthodox Concatenation

MageCart is the name given to the roughly one dozen groups of cyber criminals targeting e-commerce websites with the goal of stealing credit card numbers and selling them on the black market. They remain an ever-growing threat to website owners. We’ve said many times on this blog that the attackers are constantly using new techniques to evade detection. In this post I will go over a case involving one such MageCart group. A Hacked Magento Website Some time ago a client of ours came to us with a heavily infected Magento e-commerce website from where credit card details were being […]

Online Credit Card Theft – A Brief Overview of Online Fraud and Abuse – Part 2

In my previous post about ecommerce credit card swipers I described the general overview of the online ecommerce environment as well as some of the reasons behind why websites become compromised with this type of malware. In this post I will go into some more detail of the taxonomy of web-based credit card swipers, review some good online resources on vulnerabilities as well as some steps to protect yourself, your website and your customers. Different Types of Swipers Now that we have reviewed the broader ecommerce web environment in the previous post, let’s take a look at some actual swipers […]

Online Credit Card Theft – A Brief Overview of Online Fraud and Abuse – Part 1

Many clients that we work with host and operate ecommerce websites which are frequent targets of attackers. The goal of these attacks is to steal credit card details from unsuspecting victims and sell them on the black market for a profit. The online ecommerce environment is diverse, constituting many different content management system (CMS) platforms and payment gateways all of which have their own features and risks. In this post I will attempt to demystify this cluttered environment, provide some context for the different attack vectors, and reasons how customer’s credit card details become compromised. Continue reading Online Credit Card […]

Malicious Redirects Through Bogus Plugin

Recently we have been seeing a rash of WordPress website compromises with attackers abusing the plugin upload functionality in the wp-admin dashboard to redirect visitors and website owners to malicious websites. The payload is the following bogus plugin located here: ./wp-content/plugins/plugs/plugs.php At first glance these appear to be very unorthodox domains: hxxp://xn--o1aofd[.]xn--p1ai hxxp://xn--80ady8a[.]xn--p1ai hxxp://xn--80adzf[.]xn--p1ai hxxp://xn--g1aey4a[.]xn--p1ai hxxp://xn--g1asqf[.]xn--p1ai hxxp://xn--i1abh6c[.]xn--p1ai However, they are using what is known as “punycode”, where everything after the xn-- is unicode. Continue reading Malicious Redirects Through Bogus Plugin at Sucuri Blog.

Password Attacks 101

According to the 2020 Data Breaches report by Verizon, 25% of all breaches involved the use of stolen credentials. And for small businesses, that number hit 30%. Brute force attacks have a similar share, accounting for 18% of all breaches, and 34% of those for small businesses. Why are password attacks like brute forcing so effective? And how exactly do they work? Let’s take a look at three kinds of password attacks that present a real threat to sites and businesses of all sizes. Continue reading Password Attacks 101 at Sucuri Blog.

WordPress Redirect Hack via

Malicious redirect is a type of hack where website visitors are automatically redirected to some third-party website: usually it’s some malicious resource, scam site or a commercial site that buys traffic from cyber criminals (e.g. counterfeit drugs or replica merchandise). Types of Malicious Redirects There are two major types of malicious redirects: server-side redirects and client-side redirects. Server-side redirects take place before a visitor even loads a page. The most common techniques used by server-side redirect hacks are “rewrite” rules in Apache .htaccess files or PHP code injected into legitimate files. Continue reading WordPress Redirect Hack via at Sucuri […]

WooCommerce Credit Card Skimmer Hides in Plain Sight

Recently, a client’s customers were receiving a warning from their anti-virus software when they navigated to the checkout page of the client’s ecommerce website. Antivirus software such as Kaspersky and ESET would issue a warning but only once a product had been added to the cart and a customer was about to enter their payment information. This is, of course, a tell-tale sign that there is something seriously wrong with the website and likely a case of credit card exfiltration. Continue reading WooCommerce Credit Card Skimmer Hides in Plain Sight at Sucuri Blog.

Object Injection Vulnerability Affects WordPress Versions 3.7 to 5.7.1

If you haven’t updated your WordPress website since October 2013, this wouldn’t affect you, but we strongly hope that is not the case! There’s a new object injection vulnerability which affects WordPress versions 3.7 to 5.7.1. Be sure to get updated to 5.7.2 as soon as possible! According to WPScan, the new object injection vulnerability is due to versions of PHPMailer library between 6.1.8 and 6.4.0. The original CVE can be found here. Continue reading Object Injection Vulnerability Affects WordPress Versions 3.7 to 5.7.1 at Sucuri Blog.

How to Find & Fix Mixed Content Issues with SSL / HTTPS

Note: We’ve updated this post to reflect the evolving security standards around mixed content, SSLs, and server access as a whole. With the web’s increased emphasis on security, all sites should operate on HTTPS. Installing an SSL allows you to make that transition with your website. But it can also have an unintended consequence for sites that have been operating on HTTP previously: Mixed content warnings. Today, let’s look at these common errors, what causes them, and how you can fix them. Continue reading How to Find & Fix Mixed Content Issues with SSL / HTTPS at Sucuri Blog.