Attackers are increasingly targeting abandoned and barely maintained websites for hosting phishing pages, according to a new study from Kaspersky.
In many cases, phishers' focus is on WordPress sites because of the sheer number of known vulnerabilities in the widely used content management system and its numerous plug-ins.
Large Number of Compromised Websites
Researchers at Kaspersky recently counted 22,400 unique WordPress websites that threat actors had compromised between mid-May and the end of July to host phishing pages. The number included websites that attackers were literally able to walk into because they provided open access to the control panel, as well as sites that attackers had to break into via vulnerability exploits, credential theft, and other means. Kaspersky detected 200,213 attempts by users to visit phishing pages that threat actors had hosted on these websites.
"Both long-neglected and actively maintained websites may be targeted this way," Kaspersky said in a report this week. "In particular, hackers tend to compromise smaller websites whose owners cannot immediately recognize their presence."
Phishing continues to be one of the most popular initial access vectors for attackers because of just how successful they have been with it. Fundamental to that success is their ability to create convincing websites and pages that users are likely to trust enough to share their credentials and other sensitive information.
Kaspersky researchers found that to improve the con, phishing operators sometimes leave a compromised website's main functionality untouched even as they publish phishing pages on the site. "A visitor would never guess the site has been hacked: every section is where it is supposed to be, and only relevant information can be seen," Kaspersky said. Instead, the attackers hide their phishing pages inside new directories that are not accessible on the website's menu, the security vendor said.
Long neglected domains are also attractive for attackers because phishing pages can remain active on them for a long period as well. This can be especially significant for attackers given the relatively brief lifecycle of phishing pages in general. In December 2021, Kaspersky released a report that summarized its analysis of the lifecycle of phishing pages. The study showed that 33% of phishing pages became inactive within a single day of going live. Of the 5,307 phishing pages that Kaspersky researchers analyzed for the study, 1,784 stopped working after the first day, with many becoming inactive in just the first few hours. Half of all pages in the study ceased to exist after 94 hours.
For threat actors, the task of breaking into abandoned and barely maintained websites is often simple because of the security holes that exist in the environment. Just last year, researchers and vendors disclosed a total of 2,370 vulnerabilities in WordPress and plugins. The most common of these include cross-site scripting, authorization bypass, SQL injection, and information disclosure.
Kaspersky found that typically, when an attacker breaks into a WordPress site via a vulnerability, they upload a WSO Web shell, which is a malicious shell script that allows attackers complete remote control over the website. The attackers then use the Web shell to break into the compromised website's admin panel and start putting fake pages on it. They also use the control panel to store credentials, bank card data, and other sensitive information that a user might be tricked into entering on the website. When an attacker leaves access to the control panel open, anyone on the Internet can then get access to the data, Kaspersky said.
"Seasoned cybercriminals hack legitimate websites as a way of setting phishing traps," Kaspersky said. "Both long-neglected and actively maintained websites may be targeted this way," especially when the websites are small, and the operators are ill-equipped to detect malicious activity.
Kaspersky's blog offered tips on how WordPress website operators can detect if an attacker has hacked their website and is using it to host phishing pages.