{"id":3166,"date":"2013-08-12T10:00:51","date_gmt":"2013-08-12T14:00:51","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=3166"},"modified":"2013-08-12T10:00:51","modified_gmt":"2013-08-12T14:00:51","slug":"password-thieves-target-blogs-content-management-sites","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/12\/password-thieves-target-blogs-content-management-sites\/","title":{"rendered":"Password thieves target blogs, content management sites"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2046348\/password-thieves-target-blogs-content-management-sites.html\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/web-security-100049707-large.jpg\" \/><\/a><\/p>\n<p>Brute force attacks to pry login credentials from content management sites like blogs have been growing as more data robbers use a short-term gain for a bigger payoff later on.<br \/>\nSuch sites are attractive targets because they tend to be less secure than other environments\u2014such as financial services\u2014and since they&#8217;re interactive by design, &#8220;drive-by&#8221; malware planted on them can infect a lot of users quickly, said David Britton, vice president of industry solutions at 41st Parameter.<br \/>\n&#8220;With these types of interactive sites being compromised, we see more evidence of the developing attack trend that is focusing less on direct financial gain and more on gathering more detailed personal data, allowing fraudsters to build much more complex social engineering attacks that result in an eventual larger payoff,&#8221; he said via email.<br \/>\nMore and more attackers are realizing that websites built on CMS platforms, like WordPress, are ripe for password picking. &#8220;This marks a sea change in attackers targeting the low-hanging fruit of these blog systems,&#8221; Matt Bing, a research analyst with Arbor Networks, said in an interview.<br \/>\nOne such brute force campaign was identified last week by Bing. Dubbed &#8220;Disco Fort&#8221; by the researcher, it&#8217;s using 25,000 infected Windows machines to support attacks on more than 6000 Joomla, WordPress, and Datalife Engine sites.<br \/>\nEasy passwords, easy pickings<br \/>\nWhat attackers are finding is that login credentials for many sites running popular CMS systems are easy to steal. &#8220;The common passwords that were used to successfully compromise sites were nothing very sophisticated,&#8221; Bing said.<br \/>\nOf the more than 6000 sites compromised by the campaign, the top ten passwords used to crack them were &#8220;admin,&#8221; &#8220;123456,&#8221; &#8220;123123,&#8221; 12345,&#8221; {domain}, &#8220;pass,&#8221; &#8220;123456789,&#8221; &#8220;1234 150,&#8221; &#8220;abc123&#8221; and &#8220;123321.&#8221;<br \/>\nBrute force may be overstating what campaigns like Disco Fort are doing, since performing billions of computations in order crack these sites&#8217; passwords isn&#8217;t in the attackers&#8217; game plan. In fact, they can crack many of these sites with very few CPU cycles.<\/p>\n<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2046348\/password-thieves-target-blogs-content-management-sites.html\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/security_2013-100019468-medium.png\" \/><\/a><\/p>\n<p>&#8220;You can find files on the Internet of the 100,000 most commonly used passwords that can crack more than 95 percent of accounts,&#8221; Girish Wadhwani, a product manager at Nok Nok Labs, said in an interview.<br \/>\nOnce Disco Fort compromises a site, it places &#8220;backdoor&#8221; software on it so its operator can upload and download files and execute commands.<br \/>\nIn a number of cases, the attacker installed tools that could be used to activate a drive-by exploit kit. However, no evidence was found that the tools were ever used.<br \/>\nHow the attacker is recruiting PCs for a botnet army is also a mystery at this point. &#8220;The best evidence we have is that social engineering is being used,&#8221; Bing said. &#8220;We found an executable that was the name of a book in Russian\u2014Michael Lewis&#8217; &#8220;The Big Short: Inside The Doomsday Machine&#8221;\u2014so it may have been trying to use that to trick users into installing the malware.&#8221;<br \/>\nShared vulnerabilities targeted<br \/>\nThe widespread use of off-the-shelf CMS systems has attracted attackers&#8217; attention because if they have an unknown vulnerability for one of them in their pocket, it can be used to compromise many websites.<br \/>\n&#8220;Hackers are always looking to get the most profit for the least work,&#8221; Barry Shteiman, a senior security strategist at Imperva, said an interview. &#8220;With these CMS systems, they can do their work once and then hack many, many sites.&#8221;<br \/>\nMany of CMS systems, like WordPress, are easy to use. That&#8217;s a good thing for users, but it&#8217;s not so good for site security. &#8220;The biggest issue with WordPress is that its users are not always the most technically savvy,&#8221; Michael Sutton, vice president of security research at Zscaler, said in an email.<br \/>\n&#8220;WordPress is designed to be fairly easy and straightforward to install,&#8221; he continued, &#8220;so security is an afterthought for many of its users.&#8221;<br \/>\nIn addition, many bloggers and other CMS users aren&#8217;t concerned about someone breaking into their Web locale because they believe they don&#8217;t have anything worth stealing. That may be true, but it doesn&#8217;t mean they don&#8217;t have something valuable to hackers.<br \/>\n&#8220;What they don&#8217;t realize is that hacking into a website has become all about distributing malware,&#8221; Marc Gaffan, founder of Incapsula, said in an interview. &#8220;If you have a lot of people coming to your website, it&#8217;s a great place to infect your visitors.&#8221;<br \/>\nvia <a href=\"http:\/\/www.pcworld.com\/article\/2046348\/password-thieves-target-blogs-content-management-sites.html\" target=\"_blank\">Password thieves target blogs, content management sites | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Brute force attacks to pry login credentials from content management sites like blogs have been growing as more data robbers [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,8],"tags":[453,797],"class_list":["post-3166","post","type-post","status-publish","format-standard","hentry","category-security","category-social-media","tag-hackers","tag-passwords"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-P4","jetpack-related-posts":[{"id":3106,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/05\/attackers-reported-seeding-cloud-services-with-malware\/","url_meta":{"origin":3166,"position":0},"title":"Attackers reported seeding cloud services with malware","author":"NCCT","date":"August 5, 2013","format":false,"excerpt":"LAS VEGAS -- Malware writers are ramping up their use of commercial file hosting sites and cloud services to distribute malware programs, security researchers said at this week's Black Hat conference here. Traditionally, malware writers had distributed their malicious code from their own sites. But as security vendors get better\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6733,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/10\/30\/drupal-users-assume-your-site-was-hacked-if-you-didnt-apply-oct-15-patch-immediately\/","url_meta":{"origin":3166,"position":1},"title":"Drupal users: Assume your site was hacked if you didn&#8217;t apply Oct. 15 patch immediately","author":"NCCT","date":"October 30, 2014","format":false,"excerpt":"Users of Drupal, one of the most popular content management systems, should consider their sites compromised if they didn\u2019t immediately apply a security patch released on Oct. 15. The unusually alarming statement was part of a \u201cpublic service announcement\u201d issued by the Drupal project\u2019s security team Wednesday. \u201cAutomated attacks began\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5852,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/27\/running-wordpress-got-webshot-enabled-turn-it-off-or-youre-toast\/","url_meta":{"origin":3166,"position":2},"title":"Running WordPress? Got webshot enabled? Turn it off or you\u2019re toast","author":"NCCT","date":"June 27, 2014","format":false,"excerpt":"A zero-day vulnerability in the popular TimThumb plugin for WordPress leaves many websites vulnerable to exploits that allow unauthorized attackers to execute malicious code, security researchers have warned. The vulnerability, which was disclosed Tuesday on the Full Disclosure mailing list, affects WordPress sites that have TimThumb installed with the webshot\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8907,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/05\/04\/huge-number-of-sites-imperiled-by-critical-image-processing-vulnerability-updated\/","url_meta":{"origin":3166,"position":3},"title":"Huge number of sites imperiled by critical image-processing vulnerability [Updated]","author":"NCCT","date":"May 4, 2016","format":false,"excerpt":"By Dan Goodin | Ars Technica Attack code exploiting critical ImageMagick vulnerability expected within hours. A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images. The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7570,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/05\/malicious-advertisements-on-major-sites-compromised-many-many-pcs\/","url_meta":{"origin":3166,"position":4},"title":"Malicious advertisements on major sites compromised many, many PCs","author":"NCCT","date":"February 5, 2015","format":false,"excerpt":"Attackers who have slipped malicious advertisements onto major websites over the last month have potentially compromised large numbers of computers. Several security vendors have documented attacks involving malicious advertisements, which automatically redirect victims to other websites or pages that silently attack their computer and install malware. \u201cWe certainly see malvertising\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7656,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/26\/the-harmful-code-recently-found-on-lenovo-machines-is-now-surfacing-in-other-apps\/","url_meta":{"origin":3166,"position":5},"title":"The harmful code recently found on Lenovo machines is now surfacing in other apps","author":"NCCT","date":"February 26, 2015","format":false,"excerpt":"As we previously reported, Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code. The appearance of the potentially harmful software was not only shocking to many, but also prompted researchers to look around to see if the adware (or similar code) made it\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=3166"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3166\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=3166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=3166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=3166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}