Episode 71: Hackers Targeting COVID-19 Fears
With many of us under either lockdown or shelter-in-place orders due to the COVID-19/Corona virus, fear and stress are rampant. This additional stress lowers our critical thinking capabilities and increases our vulnerability. Hackers targeting these human vulnerabilities are using the global pandemic to attempt exploitation through numerous scams and phishing campaigns. We also cover plugin vulnerabilities affecting tens of thousands of sites as well as a new product from Wordfence, Fast or Slow, a global website speed profiler.
Here are timestamps and links in case you’d like to jump around, and a transcript is below.
2:05 Coronavirus scams found and explained
4:48 HHS.gov open redirect used by coronavirus phishing to spread malware
8:00 Vulnerabilities patched in the Data Tables Generator by Supsystic Plugin
9:52 Vulnerability in WPvivid Backup Plugin can lead To database leak
10:29 Wordfence launches Fast or Slow, a website profiling tool measuring site performance from major global locations
Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.
Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.
Have a story you’d like us to cover or someone you’d like to interview? Let us know! Contact us at press AT wordfence.com!
Episode 71 Transcript
Hi, and welcome to episode 71 of Think Like a Hacker. This is the podcast about WordPress, security, and innovation.
It is the end of March 2020, and we’re going through a lot worldwide. We’re not going to have an interview this week with so much going on. We are under shelter-in -place or lockdowns around the world as public health officials strive to keep as many people safe from coronavirus infection as possible. With death tolls rising around the world, it feels like we’re in a new era of humanity.
Obviously, we’re all under some elevated stress, and that elevated stress and the requisite fear is making us susceptible to making poor decisions. As I talked about last week, scientists say that when we are under no stress whatsoever, we can handle about seven, plus or minus two, bits of information at any given time, that means what we can can perceive, and when we’re under stress or when we’re in a fear state, which is basically a stress state, that makes us even more susceptible to perceiving less. It makes us vulnerable.
I woke up this morning to a news story that a man here in the Phoenix area had died from taking an aquarium cleaning substance that he thought would protect him from coronavirus. When we’re in fear, we’re not thinking our best. It’s really time for us now to slow down, to put a buffer zone between the stimulus of this stressful environment that we are all now in, and our response to that environment. It’s important now for us to really get good data and make good decisions.
With that, our first story today is from MalwareBytes, and they went through some of the coronavirus scams that have been coming online. In their blog post, they noted that a Twitter user had published a web tracker finding that 3,600 host names came online in just 24 hours that were related to coronavirus or COVID-19, and Risk IQ reported that they had tracked more than 13,000 suspicious coronavirus related domains over the course of a weekend, and on the very next day, more than 35,000 domains. All of these links are going to be in the show notes.
What does this tell us? It tells us that hackers are detecting vulnerability. They’re not detecting necessarily vulnerability in our systems, but they know that there’s vulnerability where there is fear, and they are targeting the weakest link. Most of these are phishing campaigns. They also detail a story that we’ve covered in the podcast a couple of episodes ago about an email phishing campaign sent by threat actors that were impersonating the World Health Organization with the intent of stealing credentials, usernames and passwords. They detail some incidents where threat actors are attempting to install malicious payloads on systems.
Now obviously, this shows that there’s going to be a growing threat, and this threat is not targeting our computers, it’s targeting us, and it’s targeting us because we are in vulnerable states, and what do we do when we’re in vulnerable states? The best thing you can do is to take care of yourself, not only your physical health and obviously boosting your immune system, getting decent sleep, getting decent exercise, but taking care of your mental health. Your mental health ends up being that which alleviates the vulnerability of fear and stress. It alleviates the vulnerability that hackers are attempting to target right now. Whether it is meditation, deep breathing, yoga, whatever you need to do in order to take care of yourself and your mental health is going to sort of be that firewall for your life, not just your mind, not just your email, but it’s going to help you make better decisions for you, for your family, everyone around you.
Our second article is an open redirect that’s being used. It is on the Health and Human Services (HHS.gov), domain and this is being used by malicious attackers to spread coronavirus phishing malware. So basically, emails are being sent out through this open redirect on one of their web addresses, and open redirect basically automatically redirects users between a source website and a target site, and malicious actors use these to target phishing landing pages or deliver malware payloads, because they can do so under the guise of a legitimate service, and with everybody attuned to wanting to get the latest information about coronavirus, having an open redirect on the hhs.gov Health and Human Services website, that is definitely something dangerous. So the open redirect is in the article on BleepingComputer using it to send out a malicious attachment containing a coronavirus.doc.lnk file that unpacks obfuscated VBScript that executes a raccoon information stealer malware payload that’s coming from an IP address also detailed in that blog post.
Now, one of the things that coronavirus is really exposing, to me, is how as a society, we are not equipped well, in many ways, to care for our elders. Obviously, this virus is targeting the most vulnerable, those of our parents and grandparents, and it’s much like what’s happening with phishing and other scams like this. Obviously, we all get phishing emails, but those who are most vulnerable to these are the most trusting, and those of our parents and our grandparents, who often find themselves victims of these types of scams, whether it’s coming through an email or it’s on a phone call or an SMS message.
I would like to posit that it is our responsibility as security professionals, and even if you don’t think of yourself as a security professional, the fact that you’re listening to this podcast means that you are aware of security, and we have a responsibility to take care of the most vulnerable in our communities, whether that be the WordPress community or our communities at home. So talk to your parents, obviously, with social distancing at this time, but talk to them about these types of threats. Make sure that they are aware. Use antivirus on their computers if you can, and support them and educate them. Obviously, our first line of defense is going to be educating anyone who’s using the internet to realize that these types of threats exist.
On to some stories in the WordPress world, we have a couple of plugin vulnerabilities to cover. First of all, Chloe Chamberland, one of our Threat Analysts here at Wordfence, found vulnerabilities in the Data Tables Generator by Supsystic [plugin]. She did find some vulnerabilities in the pricing table by Supsystic plugin and worked with them and both of these plugins. Now, the Data Tables Generator plugin is a WordPress plugin installed on over 30,000 sites. These flaws were quite similar, allowed attackers to execute AJAX actions that could inject malicious JavaScript and forge requests on behalf of authenticated site users.
Wordfence premium users received firewall rules against this vulnerability’s exploit on January 21, 2020, and free received that rule on February 20th, so even though we hadn’t disclosed this because it was still being patched, you’ve been protected, if you’re using Wordfence, for quite some time. With all of the crazy stuff that’s happening in the world right now, the last thing you want to think about is updating plugins immediately, or even writing blog posts. There’s a lot of other things that are demanding our attention. So these are the times when it’s really good to have a firewall, because firewalls buy you time. Even though a vulnerability might exist in the world, you don’t even have to be aware of it. Your firewall is blocking malicious attacks, and as we’re seeing, hackers and malicious actors are much more active in times of great fear and vulnerability. So now’s the best time to make sure that everything is protected, including your WordPress site.
Our next story is a vulnerability that was patched in the WPvivid Backup plugin. This could lead to a database leak. This plugin was installed on over 30,000 sites as of a few weeks ago, and the issue has been fixed in version 0.9.36. It was another AJAX action that didn’t have an authorization check, so make sure that if you’re using that plugin that you have that patched.
Our final story. I saved the best for last, because there’s no fear associated with this. It’s not even a vulnerability. Wordfence is really happy to announce that we have a new product. This product, all free. It’s called Fast or Slow. You can find it fastorslow.com. This tool helps you measure your WordPress — or other — sites performance from various locations around the world. Now, if you’re interested in site performance, you’ve probably used various tools in order to measure whether an at your site was performing well for your users.
This tool is unique in that it looks at performance globally. So if you have a product or a service that is relevant to anyone in the world, say for example, software that you are selling online, and you would like to ensure that users in Australia, even though you’re based in, let’s say Kansas, that your users in Australia are having a good experience with your website. You can use Fast or Slow to see how Australians are experiencing your site, to see how South Americans are experiencing your site, how Europeans are. It’s a really neat tool. It’s free. You can put in your website, see how it’s performing, and we really recommend signing up for monitoring.
What this will do is run reports over time. So if your hosting provider, for example, is having an issue or you’re seeing degraded performance over time, Fast or Slow will let you know when a problem like that exists. It’s horrible to have those types of experiences sneak up on you, and you realize that your server is overloaded and not performing well, especially for a location where you have no visual experience. Fast or Slow will monitor this for you, let you know when your site might be having a problem, give you some relevant data that you can take to your developers, that you can take to your hosting provider, that you can take to heart and make better decisions in order to make sure that your site is serving your users.
With that, that is podcast episode 71 of Think Like a Hacker. Thanks for listening. If there is anything that Wordfence can do in order to support you during these very strange and different times, please, please reach out and let us know what we can do in order to be of service. We have been a remote team since our inception. All of us have our methodologies and procedures in place in order to be of service from where we’re at, and if things are shifting for you, please let us know how we can be of service, we’re here for you, and I just want to underscore again how important it is to take time during this experience to take care of your mental health. Your mental health is your firewall for your life. It’s going to allow you to really ascertain what you need to do for yourself, what you need to do for your family, what you need to do for your business in order to not only survive these troubled times, but to succeed within them.
If there’s anything I personally can do, reach out to me, Kathy [AT] wordfence.com. If there is someone that you would like me to bring on the podcast, let me know. And with that, we will wrap it up. Next week, we will have another episode, and hopefully even more good news to report.
Thanks for listening!
Comments
4:32 pm
Loved Fast or Slow! Thanks for setting that up. Aye, I know there are a gazillion similar sites (I use GT Matrix quite often) but each has a slight twist on the way they measure things. Your approach to show how things get loaded around the globe is neat — it allowed me to see that putting CloudFlare in front of my sites makes the whole world get a relatively similar response time and practically identical content.
Well done!
4:45 pm
Hi Gwyneth! Glad you like Fast or Slow. We'll have updates to it coming soon, and we think it will be a game changer. Stay tuned!