was successfully added to your cart.

Category

Security

Display Widgets Plugin Includes Malicious Code to Publish Spam on WP Sites

By | News, Security | No Comments
If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor. The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times. The plugin is used by approximately 200,000 WordPress websites, according to WordPress repository. (See below) Wordfence warns you if you are using a plugin that has been removed from the repository. During the past months you would have been warned several times that this plugin has been removed with a ‘critical’ level warning that looks like this: It turns out that this plugin did have “unknown security issues”. Let’s start with a timeline of what happened to Display Widgets, why it was removed three times from the repository and allowed back in each time and then finally removed again a fourth time a few days ago. Read More

The 3-step plan to make your website harder to hack

By | News, Security | No Comments
Original Article PC World By Robert Lemos Online attackers are increasingly targeting websites to make a statement, send spam or flood someone else’s network. Protecting your online brand requires vigilance. When a big website like Lenovo’s gets hacked, it’s news. But most such attacks take place under the radar, at smaller sites lacking the skills or time to protect themselves. Take the legions of WordPress-based sites, which got a rude awakening last year when many thousands of them were hacked. Don’t be one of those sites. Even if you don’t use WordPress, you can learn important lessons from what those poor blighters have been through. Read More

Target agrees to pay $10 million to data breach victims

By | News, Security | No Comments

 CBS News Original article

MINNEAPOLIS — Target has agreed to pay $10 million under a proposed settlement in a class-action lawsuit stemming from a massive 2013 data breach, the company confirmed to CBS News.

“We are pleased to see the process moving forward and look forward to its resolution,” Target spokesperson Molly Snyder told CBS News late Wednesday.

The proposed settlement, which must be approved by a federal district court judge, creates a settlement account that could pay individual victims up to $10,000 in damages, according to court documents.

The data breach, one of the largest of its kind, occurred between Nov. 27 and Dec. 15, 2013, just as the busy holiday shopping season was underway. Information from as many as 40 million credit and debit cards was stolen.

Investigators believe the thieves captured the information by installing software on payment terminals customers used to swipe their payment cards at checkout. Nearly all of Target’s 1,797 stores in the United States were affected.

At least 15 lawsuits were filed by the end of 2013, seeking millions of dollars in damages. The harm was so widespread that the Department of Justice began its own investigation into the breach.

A court hearing on the settlement proposal was scheduled for Thursday in St. Paul, Minnesota, where Target’s headquarters is located.

The news comes as Target recently announced layoffs of 1,700 employees — or 13 percent of the workforce — at its Minneapolis headquarters, reports CBS Minnesota.

WordPress Security: Nulled Scripts and the CryptoPHP Infection

By | Security | No Comments

Our friends over at Fox-IT based in Delft in the Netherlands just contacted Wordfence with some amazing research they’ve just published. If you’re technically minded and want as much detail as possible, I recommend you skip this blog entry and head straight over to the Whitepaper that Fox-IT has published on the CryptoPHP backdoor (It’s 50 pages). I’ve summarized the details and our response:

Nulled scripts are commercial web applications that you can obtain from pirated websites that have been modified to work without a license key. They are the web equivalent of pirated software. They include commercial WordPress themes and plugins.

Wordfence Original Article

It’s come to our attention courtesy of Fox-IT that nulled scripts are being distributed via several websites with a sophisticated infection pre-installed. Fox-IT have dubbed it CryptoPHP because of the fact that it encrypts data before it sends it to command and control servers.

<?php include('assets/images/social.png'); ?>

If you’re a PHP developer you will immediately recognize this as looking strange: It is a PHP directive to include an external file containing PHP source code, but the file is actually an image. Inside this image file is actual PHP and the code is obfuscated (hidden through scrambling) to try and hide the fact that it’s malicious.

If you’re a Wordfence customer, and you are doing scans, the default settings for Wordfence do not scan image files for infections. However we are aware of these kinds of infections so a while back we added an option to scan image files as if they are PHP code. However with the detection we just added, Wordfence will detect the ‘include’ directive above in your PHP source, so even if you haven’t enable image-file scanning, you will still catch all known variants of this infection provided you are running the newest version of Wordfence.

Fox-IT has determined that the purpose of the malware is, currently, to engage in black-hat SEO by injecting links to other, presumably malicious, websites into your content. However this infection is sophisticated and it communicates with command and control servers that can instruct it to do a variety of tasks including the ability to upgrade itself. So this is a classic botnet infection which turns all infected websites into drones that can be instructed to do just about anything, from sending spam email to SEO spam to hosting illegal content to performing attacks on other websites.

The researchers think they may have identified the location of the author. Inside the code of the malware is a user-agent (browser) check that checks to see if the web browser user-agent equals ‘chishijen12′. If it does, then the application is instructed to output all PHP errors to the browser, presumably for debugging purposes. Fox-IT found an IP address that is associated with that user-agent and the IP is based in the state of Chisinau in Moldova. The name of the state is similar to the user-agent string, which gives their theory some credence.

This infection doesn’t just affect WordPress but affects Drupal and Joomla too. The detection we’ve added will actually detect the infection in Drupal or Joomla source code too if that lives under your WordPress directory.

If you’re an enterprise customer and are using an IDS like Snort or the EmergingThreats ruleset, Fox-IT have created Snort signatures which are in the whitepaper and I see that EmergingThreats have updated their open ruleset today to detect this.

You can find the full white paper discussing this new threat here and it includes quite a bit of technical detail if you’re a developer or information security researcher.

Please help spread the word about the danger involved in downloading or distributing nulled scripts and help keep the community safe.