Websites Being Targeted By Threat Actors To Set Up Phishing Pages

There’s new research that is out detailing hackers targeting smaller websites to take them over and set up phishing pages:

Abandoned websites end up captured by cybercriminals fairly often. A lack of maintenance and security patches means they are easy to compromise using a known exploit. Besides, on a long-neglected site, phishing pages can stay up for long periods of time, as no one monitors what gets published, which is exactly what scammers look for.

This does not mean malicious actors do not attack actively maintained sites, though. Smaller websites attracting little traffic are among those exposed to the hacking threat. Their owners may not be able to afford to spend enough money on information security or hiring a security professional, they may be unfamiliar with security settings, or they may be confident that their website is too small to be of any interest to hackers. However, to a phisher, the possibility of hacking the website is more important than its popularity, as links to scam pages are likely to be emailed or sent via instant messaging platforms. Therefore, even smaller websites are an attractive target for scammers.

According to W3Techs, 43.1% of all websites on the internet are powered by the WordPress content management system. There is a huge number of third-party plugins designed for extending the functionality of this popular platform. New vulnerabilities exploited by hackers are discovered both in plugins and in WordPress itself on a regular basis. The rest of this article will deal with phishing pages on hacked websites that are powered by WordPress.

Jack Nicholsen, CISO, Inversion6 had this to say:

Everyone should be concerned about the growing threat of phishing attacks on WordPress sites. These attacks can have a significant impact on businesses, both financially and reputationally. Hackers are increasingly targeting WordPress sites because they are a popular content management system (CMS) that is used by millions of websites. WordPress sites are also often less secure than other websites, as they may not be properly maintained or updated. Kaspersky found that hackers are using a variety of techniques to target WordPress sites, including: 

  • Exploiting vulnerabilities in outdated software and plugins. WordPress plugins are a common way for hackers to gain access to a website. It is important to keep all plugins up to date and to only install plugins from trusted sources. 
  • Phishing emails and social engineering attacks. Hackers will often send phishing emails that appear to be from a legitimate source, such as a bank or credit card company. The emails will often contain a link that, when clicked, takes the victim to a fake website that looks like the real website. Once the victim enters their personal information on the fake website, the attacker can steal it.
  • Brute-force attacks. Hackers will often use brute-force attacks to try to guess the passwords for WordPress accounts. It is important to use strong passwords and to enable two-factor authentication.

 Security teams can take a number of steps to protect their WordPress sites from these attacks, including:

  • Keeping their websites up to date with the latest security patches. WordPress releases security patches regularly, and it is important to install these patches as soon as possible. 
  • Using strong passwords and two-factor authentication. Strong passwords should be at least eight characters long and include a mix of letters (uppercase and lowercase), numbers, and symbols. Two-factor authentication adds an extra layer of security by requiring users to enter a code from their phone in addition to their password.
  • Installing a security plugin for WordPress. There are a number of security plugins available for WordPress that can help to protect your site from attacks.
  • Monitoring their websites for suspicious activity. Security teams should monitor their websites for suspicious activity, such as unusual login attempts or changes to the website’s code. 
  • Training employees on how to identify and avoid phishing emails. Employees should be trained on how to identify and avoid phishing emails. They should be taught to never click on links in emails from unknown senders and to never enter their personal information into websites that they do not trust.

My advice would be that if you have a website that isn’t being maintained, take it down. And for everyone else, you should do everything possible to secure those websites so that they don’t get leveraged by threat actors for evil.

Leave a Reply

%d bloggers like this: