Thanks to the researcher’s work Denis Sinegubko it was possible to identify a huge one botnet which, day after day, seems to get bigger and bigger.
We are talking about a structure that, a few hours ago, included more than 700 websites created with the CMS WordPress, with an unquantifiable number of users potentially at risk. As explained by Sinegubko himself, the same traffic on compromised websites is exploited to force other ones.
The compromised platforms apparently use JavaScript commands. This is a tiny piece of code (just 3 kilobit) through which cybercriminals try to spread their activity on other websites. The code, in addition to attempting to force the site usernametry to match to the same 100 common passwords to “unhinge” WordPress sites.
Hundreds of WordPress sites compromised through a real “avalanche effect”
The researcher explained in detail how cybercriminals work, describing in detail the process of spreading the malicious code and the recruitment of new sites for the botnet:
- In the first phase, cybercriminals obtain the URL of WordPress sites to attack through scanning systems, search engine o databases;
- The second phase involves the credential search on them, forcing entry into the administration panel;
- At this point, cyber criminals insert the malicious script on the site;
- With the site compromised for all intents and purposes, the script is downloaded by visitors and installs itself in browser of the same;
- Finally, the malicious code in turn searches for new potential sites in which to install itself.
According to Sinegubko, the numbers of this mechanism are enormous. In fact, the researcher speaks of “Tens of thousands of requests” which, despite a huge number of 404 errorshe sees one anyway 0,5% of successful attempts, with a mechanism that is repeated to increasingly enlarge the botnet.
A sort of “avalanche effect” that is difficult to stem. According to Sinegubko, while waiting for an adequate corrective patch for WordPress and/or for the main browsers in circulation, the app can be useful to prevent any infections NoScripteven if this is not easy to use and therefore recommended only for particularly expert users.