Creativity knows no bounds. And criminals are one of the most creative people ever. The world of cybersecurity is not a stranger to attacks that use out-of-the-box thinking.
One such new case has been revealed where fake plugins have been found in WordPress that not only cloak themselves under the popular UpdraftPlus but also hide themselves from user’s eyes to silently work without getting noticed.
In a post by Sucuri, plugins disguised as UpdraftPlus, which is a backup and restore plugin, have been found installed by attackers to carry out malicious activities on the websites.
More about the fakers:
- The names of the fake plugins are (but not limited to) initiatorseo or updrat123.
- The fake plugins are copying version 1.16.16 of UpdraftPlus (released earlier this year)
- UpdraftPlus has currently more than 2 million active installs
- The fake plugins hide from the dashboard if your browser doesn’t use specific User-Agent strings (which help to identify the browser name, version, OS details etc.)
- The plugins are using backdoors to provide entry to attackers
WTH- What’s the threat?
Through the backdoor, the attackers have been found to:
- Upload arbitrary files to infected website
- Send POST requests to download these files from a remote URL
- Upload web shells
- Upload random files with malicious scripts to site root directories
- Use these files to carry out brute force attack on other websites. (Read about brute force and other attacks here)
Anything else about fake plugins?
They are neither new nor harmless. Victims could be seriously affected by the kind of attacks they can facilitate. Especially seeing that they are coming disguised as popular trustworthy counterparts, they could instantly put millions of users at risk.
Sucuri says, “Additionally, compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or cryptomining.”
Which plugins do you use? Do you know any fake plugins we all should watch out for?
Tell us in the comments below what do you think about this whole thing.
And keep reading our news once a day to stay on top of cyber threats.
Stay tuned, stay safe.