Archives: Projects

Magento is a popular eCommerce CMS platform used by business owners to sell a variety of items. Because the CMS accepts credit card information, it is often a popular platform for attackers to exploit vulnerabilities and inject code that steals credit card information. In most cases, the type of attackers that target eCommerce platforms with the end goal of stealing credit cards are quite sophisticated, and therefore their malware is too. In this piece of malware I recently found, the malware was carefully crafted to hide in an img tag to avoid detection.

Hiding in an img tag

An img tag is used for exactly what it sounds like – storing an image. But in this particular case, the malware was base64 encoded and hidden within an image tag as opposed to legitimate code to reference an image. The base64-encoded content is followed by an onerror function, which gets triggered if there’s an issue loading a file or image. Normally, if an image doesn’t load, the onerror function just tells the browser to show a broken image icon. But in this case, the onerror event is being hijacked to run JavaScript instead. To summarize:

• The credit card stealer is hidden inside a base64-encoded string within an img tag to help it avoid detection
• A onerror event is triggered when the image or file fails to load
• Normally this causes a broken image icon to appear in the browser
• In this case however, the onerror event is being abused to execute malicious JavaScript instead

This carefully crafted piece of malware shows new ways attackers are injecting malware into Magento websites to avoid detection and keep their malware hidden as long as possible.

Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult. Attackers often hide the malicious plugin from the WordPress dashboard as well, which can make them harder to track down. Additionally, when creating fake malicious plugins, attackers give the plugin an innocent sounding name so the directory is easily overlooked.

Casino SEO Spam

Spam impacting SEO is quite common and comes in a variety of forms. There is some spam that targets site to promote casinos, pharmaceuticals, and more. This tactic is nothing new and has been going on for some time. What makes this particular sample of malware stick out is the innocent naming convention of the spam and the placement of the malware. The attackers that crafted this malware used the following techniques:

• Created a fake plugin to hide within legitimate plugins in the wp-content/plugins folder
• Named itself an innocent looking name to avoid detection, security-wordpress
• Encoded sections of the code to make it more difficult to track
• Used an innocent looking domain to contain multiple spam links

Attackers are coming up with new techniques daily to avoid detection as long as possible to keep their malware active. This particular piece of code is a prime example of the ever evolving landscape of malicious content, specifically SEO related spam.

Securing a WordPress site with an SSL certificate is highly recommended for all website owners. By installing an SSL certificate, you are protecting any information passed back and forth between your site visitors and your web server. There are many benefits to adding an SSL certificate to your WordPress site, and it can be free to install!

An SSL certificate protects/encrypts any data that gets passed back and forth between web browsers and the web server your WordPress site is hosted on. The term SSL stands for Secure Socket Layer. Each browser will display whether a site is secured with an SSL certificate or not by showing a padlock right before the domain name in the URL bar at the top left. Browsers will also display a Secure or Not Secure message, depending on if a certificate is installed or not. 

WHAT DOES AN SSL CERTIFICATE DO?

SSL certificates provide protection for information a client sends back and forth from their web browser to your web server that your WordPress site is hosted on. Information that needs to be protected by encryption includes:

• Credit Card Data
• Email Addresses
• Names
• Login Details
• Phone Numbers
• Addresses
• Any other personal information a client might provide

Malicious admin users get added to vulnerable WordPress sites often. This can happen in a variety of different ways, and sometimes the malware that creates these malicious users can hide in plain sight. Injecting a malicious admin user into a WordPress site can allow attackers easy access back into a victims’ website after it has been cleaned. It is always recommended to review the WordPress administrators on your site often to best secure your site.

Important questions to ask when reviewing WordPress Admins

Some important questions to ask when determining whether a WordPress admin user is legitimate or not:

• Do I recognize this WordPress admin?
• Does the email address associated with the admin user appear safe?
• When was this admin user created?
• Does this admin user have any legitimate content attached to it?
• Did I or someone from my team add this admin user?

Vulnerabilities within WordPress can lead to compromise, and oftentimes known vulnerabilities are utilized to infect WordPress sites with more than one infection. It is common for out of date websites to be attacked by multiple threat actors or targeted by the same attacker using multiple different channels.

We recently came across a database injection that has two different pieces of malware accomplishing two unrelated goals. The first injection redirects users to a spammy sports website and the second injection boosts authority of a spammy casino website within search engines.

The discovery of two distinct infections within a singular site constitutes a significant finding, underscoring the importance of vigilant maintenance of updates and their inherent value.

The WordPress database is where unique data is stored pertaining to a WordPress site that houses custom information, ranging from WP admin users to unique posts and pages. Managing the database is an essential task when troubleshooting a WordPress site. This is where you can easily switch the theme and find your WordPress version. The two recommended pieces of software to manage a database are Adminer and PHPMyAdmin.

PHPMyAdmin

PHPMyAdmin is a common piece of software used to manage databases. You can view and download this software on their verified website. This software is often preinstalled on many hosting servers for easy access to manage databases.

Adminer

Adminer is a piece of software used to manage a WordPress database. It is not as common as PHPMyAdmin, but is quite useful and easy to use as it is only one single PHP file. To utilize Adminer, all you need to do is upload the PHP file to your file structure and access it via a browser directly on your site.

A recent infection has been making its rounds across vulnerable WordPress sites, detected on over 160 websites so far at the time of writing. The infection is injected at the top of legitimate JavaScript files and executes a script from the following malicious domain: https://jquery0[.]com/JkrJYcvQ

At first glance, this domain appears to be legitimate. However, attackers have intentionally selected the domain name with the intention of deceiving webmasters. It’s nearly identical to https://jquery.com — a website belonging to the popular JavaScript library jQuery.

It was quite fun researching this fake domain and writing a blog piece on it that is featured on the Sucuri Blog.

A 500 Internal Server Error can occur on a WordPress site for many different reasons. This error can easily frustrate a website owner as it is very generic, yet also happens to be one of the most common errors a WordPress site experiences. Below are useful tips to remember before troubleshooting a broken WordPress site:

• • Review each troubleshooting method to get a WordPress site working again. You may need to perform multiple steps to get a site functional again. (Disable plugins & your theme for example.)

• • When disabling a configuration file like an .htaccess file, check directories above your webroot and disable ones above too when troubleshooting.

• • Always backup your website before replacing any files.

Sometimes a restore is the best & fastest option!

What causes a 500 Internal Server Error?

Because a 500 Internal Server Error is a generic response, there are many different reasons a site may succumb to this error. WordPress is a powerful CMS where many plugins & themes can be added to make each site unique; this also creates more entry points and room for errors to occur. A 500 Internal Server Error can occur for the following reasons:

• • Plugin conflicts

• • Theme conflicts

• • .php.ini/.user.ini file issues

• • .htaccess/web.config file issues

• • Corrupted core files

• • PHP memory limit problems

Above are common examples as to what causes this error to occur on a WordPress site. Let’s move on to the next section to review how to troubleshoot this error to determine where this issue stems from.