Tactics of WordPress attackers similar to bank assaults

Cybercriminals are attacking servers hosting WordPress sites in an attempt to build a potent botnet that would be eerily similar to one used last year to attack major U.S. financial institutions.

The motives of the latest attackers is not known. However, their tactics resemble those used to build the infamous Brobot botnet, in which the attackers compromised PHP-based websites powered by the Joomla and WordPress content management systems. It was used to attack financial institutions including as U.S. Bancorp, JPMorgan Chase & Co., Bank of America, PNC Financial Services Group and SunTrust Banks.

The similarities have some security experts worried. "I don't think we can know exactly what the motivations for the attacks are right now, but the concern is this attack could be building something very similar and its scale is pretty significant," said Matthew Prince, co-founder and chief executive of CloudFlare.

[Also see: Bank cyberattacks reflect 'frightening' new era]

In both attacks, the criminals used a botnet comprised of home personal computers to attack hosting servers in order to build a far more powerful network. In the latest assaults, the hackers are using a so-called "brute-force" attack, which involves trying many combinations of commonly used user names and passwords.

"They're going through the low-hanging fruit of the most common passwords and if they get in, they get in; if not, they move on to the next site," said Marc Gaffan, co-founder and vice president of business development at Incapsula.

Attackers are targeting servers hosting WordPress-powered blogs that are most likely being used by individuals and small businesses, which tend to use much weaker sign-in credentials than large organizations.

Hosting servers are much more valuable to attackers than home computers because they have more processing power and have Internet connections with a lot more bandwidth, both of which are needed to launch large-scale denial-of-service attacks against organizations.

The latest attacks are taking their toll on service providers, Gaffan said. Because multiple websites are hosted on one server, the large amount of incoming traffic in a password attack will slow the performance of the overall system.

"The fact that [someone] is being targeted creates a load on the server that makes the performance of the other residents on that server basically intolerable," Gaffan said.

In addition, if a site is compromised and used to launch attacks on other servers, the service provider risks being blacklisted as a source of malicious traffic, Gaffan said.

The hackers are using about 100,000 PCs to attack the WordPress servers, according to Prince. CloudFlare and other security firms reported a huge uptick in password attempts against WordPress sites starting last week. At its peak, CloudFlare recorded 16 million attempts an hour on its network.

To avoid being locked out after too many password attempts, the attackers use a different IP address each time. If they are successful, the attackers open a backdoor that lets them control the site, even if the user changes the password.

Web-hosting company HostGator said symptoms that a site has been compromised are a very slow backend or an inability to log in. "In some instances your site could even intermittently go down for short periods," the company said in a blog post.

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags JPMorgan ChaseapplicationsphpCloudFlareData Protection | Network SecurityWordpresssoftwaredata protectionHPBank of Americabank attackssecurity

More about SunTrust Banks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts