Attackers are increasingly exploiting abandoned and poorly maintained websites to host phishing pages, according to a report from cybersecurity firm Kaspersky. The study found that phishers are particularly focusing on WordPress sites due to the large number of known vulnerabilities in the popular content management system and its plugins.
Between mid-May and the end of July, researchers at Kaspersky identified 22,400 unique WordPress websites that had been compromised by threat actors to host phishing pages. Some of these websites were easily accessible to attackers as they provided open access to the control panel, while others required the exploitation of vulnerabilities, credential theft, or other means for the attackers to gain access.
Kaspersky detected 200,213 attempts by users to visit phishing pages hosted on these compromised websites. The phishers target both neglected and actively maintained websites, with a particular focus on smaller sites where owners may not immediately recognize the presence of the attackers.
Phishing remains a popular initial access vector for attackers due to its success rate. Attackers are able to create convincing websites and pages that users trust enough to share their credentials and sensitive information. To improve their success, phishing operators often leave the main functionality of a compromised website untouched while publishing phishing pages on it. They hide these pages in new directories that are not accessible through the website’s menu, making it difficult for visitors to identify the hack.
Neglected websites are attractive to attackers because phishing pages can remain active on them for extended periods. This is significant considering the relatively short lifecycle of phishing pages. Kaspersky’s previous report on the lifecycle of phishing pages showed that 33% of such pages became inactive within a day of going live. Many stopped working within hours, and half ceased to exist after 94 hours.
Attacking abandoned and poorly maintained websites is often straightforward for threat actors due to the security holes that exist in these environments. In 2021 alone, researchers and vendors disclosed a total of 2,370 vulnerabilities in WordPress and its plugins. These vulnerabilities include cross-site scripting, authorization bypass, SQL injection, and information disclosure.
When an attacker exploits a vulnerability in a WordPress site, they often upload a WSO Web shell, a malicious script that grants remote control over the website. They use this Web shell to access the compromised website’s admin panel and create fake pages. The control panel also serves as a repository for stolen credentials, bank card data, and other sensitive information that users might be tricked into entering. When the attacker leaves the control panel accessible, anyone on the internet can access the data stored within.
“Seasoned cybercriminals hack legitimate websites as a way of setting phishing traps,” Kaspersky explained. Both neglected and actively maintained websites are targeted in this way, especially when they are small and operators lack the resources to detect malicious activity.
To help WordPress website operators identify if their website has been hacked and is hosting phishing pages, Kaspersky provided some tips on their blog. These include monitoring website access logs, examining website content for unfamiliar files or modifications, and installing security plugins to detect and mitigate potential threats.