WordPress JetPack Exploit Hijacks Websites for Tech-Support Scam

Bad actors are using compromised WordPress.com accounts and the popular Jetpack plugin to add a malicious plug-in of their own that turns compromised websites into a vehicle for perpetrating a fake tech support scam.  Attackers are using stolen user names and passwords from other breaches and trying these credentials on WordPress.com to find accounts.  They are even searching whois records for website domain names registered with the same email account as the stolen user name.

For this attack to work certain conditions need to exist.

  • You need to have a WordPress.com account.
  • You need to have JetPack installed on your website.
  • JetPack must be configured to allow management from a WordPress.com account.
  • The WordPress.com account credentials must be compromised.
  • The WordPress.com account does not have two-factor authentication activated.

Here is what’s happening:

  • An attacker signs into a WordPress.com account using a stolen user name and password.
  • If the WordPress.com account is configured to use JetPack for administration, the attacker will install a malicious plug-in named “pluginsamonsters.”
  • The plugin gives the attacker unfettered administrative access of the targeted website, allowing them to install the tech support pop-up exploit code, or potentially other exploit code.
  • The “pluginsamonsters” plug-in is visible on the WordPress.com dashboard, but not the affected site’s plug-ins dashboard.

To prevent this attack from working:

  • Change your WordPress.com password and make sure to use a password longer than 12 characters.
  • Enable two-factor authentication on your WordPress.com account.

Here is another example of how one of my favorite security options, two-factor authentication, can prevent unauthorized access of an import web resource, this time your web site.  To remove this malicious plugin and any associated malicious code that may have already been installed, use the free version of Wordfence security.

More information:

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.