Wordpress Website Design, Domains & Hosting

Blog

ProMiTech Blog

Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

This is an unscheduled public service announcement which we consider urgent and in the interests of the broader online community.
A phishing attack is being discussed in the security community today that allows an attacker to register a domain that appears identical to a known safe domain in the web browser. They can use this domain to launch phishing attacks that trick you into handing over your username and password information.
This attack makes it impossible to tell if you are on a safe site or a malicious site by looking at the location bar in your browser. This affects the current versions of Chrome and Firefox.
We have published a public service announcement that provides a working demonstration using a health care website. We also let you know how to fix the issue if you use Firefox and what to do if you are using Google Chrome.

Regards,

Mark Maunder
Wordfence Founder & CEO
Share

REST API vulnerability

Since we released our disclosure on the WordPress core REST API vulnerability last week (affecting versions 4.7 and 4.7.1) our team has been monitoring active malware campaigns in the wild, with several in the past day.

There are still many websites that remain unpatched and vulnerable.

If you have not updated your site to WordPress 4.7.2 yet – do it now!

According to our firewall research team, there are over 65,000 pages already infected by hacking/defacement groups who are leveraging this vulnerability.

We suspect that these attacks will continue throughout the week with new ones serving SEO spam and other lucrative malware campaigns. We expect the rate of compromise to slow once the majority vulnerable websites have been compromised.

Update WordPress to 4.7.2 immediately to protect yourself from these new campaigns.

Share

Election Hack FBI/DHS report

On Friday we published research into the FBI/DHS report that many are viewing as proof of a US 2016 election hack by Russia.
Specifically we showed that a malware sample in the report is old, possibly of Ukrainian origin, an administrative tool for a hacker and is freely available.
We also analyzed the IP addresses that FBI and DHS provided and showed that they are in over 60 countries and belong to over 300 organizations with no clear Russian link.
Many of you have commented and have questions. Tonight we are publishing an FAQ that makes it clear what WordPress and Wordfence users need to know about the election hack data and our report.
It also answers a range of other questions you have had and it provides links to other research and press coverage. We have included an easy to use table of contents.

Regards,

Mark Maunder
Wordfence Founder & CEO
Share

vulnerability in PHPMailer

We’re publishing an unscheduled post this afternoon about a vulnerability in PHPMailer that emerged within the past 24 hours. This will have a wide impact on the PHP ecosystem, including on WordPress core.
About 24 hours ago the existence of a remote code execution vulnerability in PHPMailer was published by a researcher. They did not release a proof-of-concept. Since then a proof of concept has been made public a few hours ago and developers are scrambling to release patches to their customers, including the WordPress core team.

Regards,

Mark Maunder
Wordfence Founder & CEO
Share

Who is Really Behind the Ukrainian Brute Force Attacks?

After our post on Friday discussing the increase in brute force attacks on WordPress in December, we received a lot of feedback. A few readers reached out to me personally with some additional data.
A source in Kiev, Ukraine contacted me and this morning we chatted via Skype about the political and military situation in Ukraine.
We published an update a few minutes ago that shows who is likely behind the attacks and what their motivation might be.

Regards,

Mark Maunder
Wordfence Founder & CEO
Share

Brute Force Attacks

During the past three weeks, we have been monitoring a steady increase in brute force attacks. The last few days have seen a rapid increase in the number of attackers.
This morning we have published the charts showing these changes and we identify some of the attackers. We also share data on which hosting provider networks are the largest sources of attacks.

Regards,

Mark Maunder
Wordfence Founder & CEO
Share

REST API released in WordPress 4.7 Security Breach

The new REST API released in WordPress 4.7 last week, turns WordPress into an application framework. It allows a large number of applications and platforms to publish to WordPress and manage your WordPress site.
While this API will enable powerful new capability in WordPress, it also presents a new attack surface for hackers. This morning the Wordfence team released Wordfence 6.2.8 which includes protection that stops hackers from using the API to figure out your admin username.
In this morning’s blog post, we describe how hackers can exploit WordPress 4.7 to list all usernames that have published posts on your website and how we have updated a new option in Wordfence to protect against this by default.

Regards,

Mark Maunder
Wordfence Founder & CEO
Share

0 day vulnerability in the wild that affects Firefox web browsers and the Tor browser bundle

We’re sending out this unscheduled emergency bulletin to alert you that there is a 0 day vulnerability in the wild that affects Firefox web browsers and the Tor browser bundle. The vulnerability emerged a few hours ago.
We recommend you temporarily switch to a non-firefox based browser until the Firefox dev team has a chance to release a fix. That should happen quite quickly.
We would like to encourage you to share this alert with the larger web community. It’s unusual for us to send out a non-WordPress related vulnerability, but the impact of this may be wide-spread. We also suspect that WordPress websites may be used as a watering hole to infect vulnerable web browsers using this new exploit.

Regards,

Mark Maunder
Wordfence Founder & CEO
Share

remote code execution vulnerability in the WordPress.org servers

We recently discovered a remote code execution vulnerability in the WordPress.org servers that distribute all core, theme and plugin updates to WordPress websites.
The vulnerability would have allowed an attacker to gain control of the WordPress auto-update system and potentially distribute malware to all WordPress websites with auto-update enabled. This is enabled by default.
An attacker could have used this to compromise up to 27% of the entire Web with a single hack. We confidentially communicated this to the WordPress team, they fixed the issue within a few hours and have awarded Wordfence lead developer Matt Barry a bounty for the report.
In today’s blog post we fully disclose the vulnerability, how it could have been exploited – and we include a few comments on how to better secure the WordPress auto-update system going forward.

Regards,

Mark Maunder
Wordfence Founder & CEO
Share

Electmageddon: How to survive a DNS outage on November 8th

Today on the Wordfence blog we’re discussing the upcoming November 8th US election and we explain why it may result in widespread outages on the Web.
If you run a mission critical website and are technically minded, we explain how to configure your DNS so that you can survive the kind of outage that Dyn experienced two weeks ago, which impacted many brand name sites like Twitter and Netflix.

Regards,

Mark Maunder
Wordfence Founder & CEO
Share