Blogs, other content management sites targeted by password thieves

Brute force attacks to pry login credentials from content management sites like blogs have been growing as more data robbers use a short-term gain for a bigger pay-off later on.

Such sites are attractive targets because they tend to be less secure than other environments -- such as financial services -- and since they're interactive by design, "drive-by" malware planted on them can infect a lot of users quickly, said David Britton, vice president of industry solutions at 41st Parameter.

"With these types of interactive sites being compromised, we see more evidence of the developing attack trend that is focusing less on direct financial gain and more on gathering more detailed personal data, allowing fraudsters to build much more complex social engineering attacks that result in an eventual larger payoff," he said via email.

[See also:Ã'Â Tactics of WordPress attackers similar to bank assaults]

More and more attackers are realizing that websites built on CMS platforms, like WordPress, are ripe for password picking. "This marks a sea change in attackers targeting the low-hanging fruit of these blog systems," Matt Bing, a research analyst with Arbor Networks, said in an interview.

One such brute force campaign was identified Wednesday by Bing. Dubbed "Disco Fort" by the researcher, it's using 25,000 infected Windows machines to support attacks on more than 6,000 Joomla, WordPress and Datalife Engine sites.

What attackers are finding is that login credentials for many sites running popular CMS systems are easy to steal. "The common passwords that were used to successfully compromise sites were nothing very sophisticated," Bing said.

Of the more than 6,000 sites compromised by the campaign, the top 10 passwords used to crack them were "admin," "123456," "123123," 12345," {domain}, "pass," "123456789," "1234 150," "abc123" and "123321."

Brute force may be overstating what campaigns like Disco Fort are doing, since performing billions of computations in order crack these sites' passwords isn't in the attackers' game plan. In fact, they can crack many of these sites with very few CPU cycles.

"You can find files on the Internet of the 100,000 most commonly used passwords that can crack more than 95% of accounts," Girish Wadhwani, a product manager at Nok Nok Labs, said in an interview.

Once Disco Fort compromises a site, it places "backdoor" software on it so its operator can upload and download files and execute commands.

In a number of cases, the attacker installed tools that could be used to activate a drive-by exploit kit. However, no evidence was found that the tools were ever used.

How the attacker is recruiting PCs for a botnet army is also a mystery at this point. "The best evidence we have is that social engineering is being used," Bing said. "We found an executable that was the name of a book in Russian -- Michael Lewis' The Big Short: Inside The Doomsday Machine -- so it may have been trying to use that to trick users into installing the malware."

The widespread use of off-the-shelf CMS systems has attracted attackers' attention because if they have an unknown vulnerability for one of them in their pocket, it can be used to compromise many websites.

"Hackers are always looking to get the most profit for the least work," Barry Shteiman, a senior security strategist at Imperva, said an interview. "With these CMS systems, they can do their work once and then hack many, many sites."

Many of CMS systems, like WordPress, are easy to use. That's a good thing for users, but it's not so good for site security. "The biggest issue with WordPress is that its users are not always the most technically savvy," Michael Sutton, vice president of security research at Zscaler, said in an email.

"WordPress is designed to be fairly easy and straight-forward to install," he continued, "so security is an afterthought for many of its users."

In addition, many bloggers and other CMS users aren't concerned about someone breaking into their Web locale because they believe they don't have anything worth stealing. That may be true, but it doesn't mean they don't have something valuable to hackers.

"What they don't realize is that hacking into a website has become all about distributing malware," Marc Gaffan, founder of Incapsula, said in an interview. "If you have a lot of people coming to your website, it's a great place to infect your visitors."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags disco fortarbor networkscmsapplicationsbrute forcesoftwaredata protection

More about Arbor NetworksArbor NetworksCMSImpervazScaler

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place