Jun 8, 2016 | Cybersecurity News, Internet Security News
A new WordPress plugin vulnerability was recently uncovered that is being actively exploited. The vulnerability affects the WP Mobile Detector plugin, which is used to determine whether a website is being viewed on a desktop or mobile device. The plugin then serves a compatible WordPress theme.
The plugin was one of the first to be able to distinguish whether a device was a standard mobile or a Smartphone, and as of the start of May, the plugin had been installed on more than 10,000 WordPress websites.
WP Mobile Detector WordPress Plugin Vulnerability Exploited to Install Porn Spam Doorways
The WordPress plugin vulnerability was detected by Plugin Vulnerabilities, which noticed a HEAD request for a file called /wp-mobile-detector/resize.php, even though the plugin had not been installed on the site.
Researchers at Plugin Vulnerabilities concluded that the request was made by an individual attempting to determine whether the plugin had been installed in order to exploit a vulnerability. After searching for reports of a known vulnerability and finding none, researchers investigated further and discovered the plugin had an arbitrary file upload vulnerability.
The vulnerability is straightforward to exploit and can be used to upload malicious files to the cache directory, host spam content, redirect users to malicious websites, or install malware. Since the plugin performed no checks to validate input from untrusted sources, an attacker would be able to insert a src variable containing a malicious URL and PHP code.
Many of the infections uncovered so far have involved the installation of porn spam doorways. Sucuri reports that the WordPress plugin vulnerability has been exploited since May 27.
Since the discovery of the WP Mobile Detector plugin flaw last week, the plugin was temporarily removed from the WordPress plugin directory. The developer of the WP Mobile Detector plugin has now fixed the vulnerability. Any site owner that has the plugin installed should immediately update to version 3.6.
However, simply updating to the latest version of the plugin will not remove malware if it has already been installed. If web shells have already been installed, attackers could still have an active backdoor to the site allowing them to continue to upload malicious files or inject malicious code into webpages.
One of the easiest ways to check to see if a site has been compromised is to look for a directory called gopni3g in the site root. The directory will contain a story.php file, and “.htaccess and subdirectories with spammy files and templates,” according to Sucuri researcher Douglas Santos.
Jun 7, 2016 | Cybersecurity Advice, Cybersecurity News, Social Media
The Federal Bureau of Investigation (FBI) has issued a new security alert warning of a new wave of extortion email schemes. The alert was issued after its Internet Crime Complaint Center (IC3) started receiving multiple reports from individuals who had been threatened with the exposure of their sensitive data.
Cybercriminals are quick to respond to large-scale data breaches and use the fear surrounding the attacks to scam individuals into paying ransoms, clicking on links to malicious websites, or opening infected email attachments. In recent weeks, the Internet has been awash with news reports of major data breaches that have hit networking sites and a number of popular Internet platforms.
Major data breaches affected LinkedIn, MySpace, and Tumblr, and while the stolen data are old, hundreds of millions of individuals have been affected.
These cyberattacks occurred in 2012 and 2013, although the data stolen in the attacks have just been listed for sale online. These major data breaches had gone undiscovered until recently.
Extortion Email Schemes Threaten Exposure of Sensitive Data
Due to the volume of logins that were exposed in these attacks and the popularity of the sites, many individuals may be concerned that their login credentials may have been obtained by hackers. Cybercriminals are taking advantage of this fear and are sending out huge volumes of spam emails advising individuals that their sensitive data have been obtained.
In the emails, individuals are told that their name, address, telephone number, credit card details, and other highly sensitive data are being held and that they will be distributed to friends and family if a ransom is not paid. The attackers warn their victims that access to social media accounts has been gained and that the attackers have details of all of the victim’s social media contacts.
The scammers are also threatening to email and mail out details of credit card transactions and internet activity to friends, family, and employers, suggesting that the payment to prevent this from happening will be much lower than the cost of a divorce, and low in comparison to the affect it will have on relationships with friends and on social standing.
To stop the distribution of these data, victims are required to pay the attackers anywhere from 2 to 5 Bitcoin – Between $250 and $1,200. A Bitcoin address is sent in the email which the victims must use. This ensures the transaction remains anonymous.
After analyzing the extortion email schemes, the FBI has concluded that the attacks are the work of multiple individuals. The FBI has advised against paying the ransoms as this will only ensure that this criminal activity continues. Paying a ransom is no guarantee that further demands will not be received.
Any person receiving an email that they believe to be an extortion email scheme should contact their local FBI office and send a copy of the email with the subject “extortion E-mail scheme,” along with details of the Bitcoin address where payment has been asked to be sent.
Extortion email schemes are often sent out randomly in spam email; however, responding to an email will alert the attacker that the email account is active and is being checked. The best course of action is to ignore the email, to log into social media accounts and change all passwords, and to carefully monitor bank accounts and credit card statements. The FBI also advises individuals to ensure social media accounts are configured with the highest level of privacy settings and to be extremely careful about sharing any sensitive data online.
Jun 2, 2016 | Cybersecurity News, Internet Privacy, Internet Security News, Social Media
On May 12, the microblogging website Tumblr notified users of a data breach that occurred in 2013. The company had kept quiet about the number of site users that were affected, although it has since emerged that 65 million account credentials were stolen in the Tumblr data breach. Stolen email addresses and passwords were recently offered for sale on a Darknet marketplace called TheRealDeal.
Tumblr Data Breach Ranks as One of the 5 Biggest Data Breaches of All Time
The massive Tumblr data breach may not be the largest ever discovered, but it certainly ranks as one of the biggest, behind the breach of 360 million MySpace account details, the theft of 164-million LinkedIn account credentials, and the 152 million-record Adobe breach. All of these huge data breaches occurred in 2013 with the exception of the LinkedIn breach, which happened a year earlier.
These breaches have something else in common. They were all discovered recently and the stolen data from all four data breaches have been listed for sale on illegal Darknet marketplaces by the same individual: A Russian hacker with the account “peace_of_mind” – more commonly known as “Peace”. It is not clear whether this individual is responsible for all four of these data breaches, but he/she appears to have now obtained all of the data.
The person responsible for the theft appears to have been sitting on the data for some time as according to Tumblr, as the login credentials do not appear to have been used.
Fortunately, the passwords were salted and hashed. Unfortunately, it would appear that the SHA1 hashing algorithm was used, which is not as secure as the latest algorithms. This means that hackers could potentially crack the passwords. The passwords were also salted so this offers more protection for individuals affected by the Tumblr data breach. However, as a precaution, site users who joined the website in 2013 or earlier should login and change their passwords.
Do You Reuse Passwords on Multiple Sites?
Even if victims of the Tumblr data breach have changed their password on the site before 2013, they may still be at risk of having their online accounts compromised if their password has been used for multiple online accounts.
If you have been affected by the Adobe, LinkedIn, MySpace, or Tumblr data breach, and there is a possibility that you have reused passwords on any on other platforms it is strongly advisable to change all of your passwords.
Peace may not be the only individual currently in possession of the data, and it is highly unlikely that the data will only be sold to one individual.
If you are unsure if your login credentials have been compromised, you can check by entering your email address or username on haveibeenpwned.com
