Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Blogs, other content management sites targeted by password thieves

John P. Mello Jr. | Aug. 12, 2013
Brute force attacks aimed at snaring login credentials are on the upswing.

Brute force attacks to pry login credentials from content management sites like blogs have been growing as more data robbers use a short-term gain for a bigger pay-off later on.

Such sites are attractive targets because they tend to be less secure than other environments — such as financial services — and since they're interactive by design, "drive-by" malware planted on them can infect a lot of users quickly, said David Britton, vice president of industry solutions at 41st Parameter.

"With these types of interactive sites being compromised, we see more evidence of the developing attack trend that is focusing less on direct financial gain and more on gathering more detailed personal data, allowing fraudsters to build much more complex social engineering attacks that result in an eventual larger payoff," he said via email.

More and more attackers are realizing that websites built on CMS platforms, like WordPress, are ripe for password picking. "This marks a sea change in attackers targeting the low-hanging fruit of these blog systems," Matt Bing, a research analyst with Arbor Networks, said in an interview.

One such brute force campaign was identified Wednesday by Bing. Dubbed "Disco Fort" by the researcher, it's using 25,000 infected Windows machines to support attacks on more than 6,000 Joomla, WordPress and Datalife Engine sites.

What attackers are finding is that login credentials for many sites running popular CMS systems are easy to steal. "The common passwords that were used to successfully compromise sites were nothing very sophisticated," Bing said.

Of the more than 6,000 sites compromised by the campaign, the top 10 passwords used to crack them were "admin," "123456," "123123," 12345," {domain}, "pass," "123456789," "1234 150," "abc123" and "123321."

Brute force may be overstating what campaigns like Disco Fort are doing, since performing billions of computations in order crack these sites' passwords isn't in the attackers' game plan. In fact, they can crack many of these sites with very few CPU cycles.

"You can find files on the Internet of the 100,000 most commonly used passwords that can crack more than 95% of accounts," Girish Wadhwani, a product manager at Nok Nok Labs, said in an interview.

Once Disco Fort compromises a site, it places "backdoor" software on it so its operator can upload and download files and execute commands.

In a number of cases, the attacker installed tools that could be used to activate a drive-by exploit kit. However, no evidence was found that the tools were ever used.

How the attacker is recruiting PCs for a botnet army is also a mystery at this point. "The best evidence we have is that social engineering is being used," Bing said. "We found an executable that was the name of a book in Russian — Michael Lewis' The Big Short: Inside The Doomsday Machine — so it may have been trying to use that to trick users into installing the malware."

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.