Cybersecurity chaos: Malware targets WordPress Websites
Date: 6 May 2021
WordPress, one of the most popular platforms for creating websites, has been targeted due to a security vulnerability that hackers discovered in a common plugin used with the site. This has spelt chaos in the world of cybersecurity. Hackers used Gootloader, a new type of downloader malware, to upload malicious software using the plugin.
This attack is a huge deal in the world of cybersecurity simply because of the number of websites it can impact. Recent studies have shown that 39.5% of all websites in 2021 use WordPress hosting services.
In this blog, we go into the details of this attack, its effect on websites across the world, and how such attacks can be prevented in the future.
How Gootloader Affects Websites
Gootloader uses malicious SEO techniques to get into relevant Google search results. Gootloader can modify existing websites so that they change how certain visitors see them.
The gootloader malware attack initially injects a few additional lines of code. Eventually, it may download dozens of pages of fake content. All of this is done to buy extra time to remain undetected so that the cyber-attack can proceed and conceal the end result.
Hackers usually entice a business professional to head to a compromised website and then have them click on a link. Once the web user completes this action, the hacker attaches ransomware, a banking trojan, or a credential stealer.
Consequences of the Gootloader Malware Attack
The Gootloader malware attack has targeted millions of websites and seeks to affect business professionals who speak Korean, German, and English. The cyber-attack has compromised dozens of legitimate WordPress websites across various industries, including:
- Hotel and hospitality
- High-end retail
- Visual arts
Defiant, which provides the Wordfence web firewall, has reported blocking more than 1.7 million attacks within a few months, which represents more than half of WordPress sites that use the firewall. WordPress is installed on hundreds of millions of websites.
WordPress worked with its partners and helped send security patches to users once it learned about the problem. Since not all users used the security patch, WordPress added an auto-update feature for WordPress themes and plugins. This ensures that sites are always running the most recent version of available WordPress themes and plugins while also staying safe.
Spotting Gootloader Malware Attacks
As these attacks target legitimate sites, it can be difficult to spot them. However, some things to look out for include:
- Filename of “*agreement*.js” for English site users
- Filename of “*herunterladen*.js” for German site users
How to Keep Your Website Safe
Cybersecurity is especially important to businesses and websites today. Here are some ways to keep your website safe from Gootloader and other cyber threats:
- Ensure the document is from the person it was sent from.
- Inspect the full URL before downloading files and match them to their source.
- Use an endpoint detection and response product. Use good anti-virus software and malware protection to protect yourself from computer viruses.
- Use only vetted plugins and legitimate software.
- Ensure all plugins used on your WordPress site and other sites are kept up to date.
- Maintain backups for websites in case they ever become compromised.
- Use a secure server to host your content.
- Use Windows attack surface reduction rules to prevent JS and VBscript from launching content you download.
It is also imperative to train and educate your employees in the basics of cybersecurity so that such attacks on your business website or online store can be avoided. Implement a certified cybersecurity training that teaches employees how to:
- Verify the authenticity and security of files
- Safely browse the internet
- Avoid potential security risks, such as free versions of paid software
- Inspect file inspections
You should also always work with the premise that your website will most likely get attacked at some point. Therefore, it is best to have a solid cybersecurity incident response plan in place which adheres to the NIST Cybersecurity Framework and equips your staff for quick detection and removal of malware.
If you’re really serious about your cybersecurity and business reputation and if you handle particularly sensitive information, it may even be worthwhile getting your organisation's cyber resilience audited by an external expert.
You can opt for quick health-checks or detailed breach readiness assessments in order to evaluate how safe your online infrastructure really is and how prepared your staff is for a cyber-attack. Conducting scenario-based cyber crisis tests is also a good idea.
Gootloader poses a serious cybersecurity threat to websites and web users across the globe. However, by implementing the cybersecurity strategies discussed above and investing a little in employee awareness and training, you can likely avoid it and similar threats.
Author: David Lukić
David Lukić is an information privacy, security and compliance consultant at IDstrong.com. The passion to make cyber security accessible and interesting has led David to share all the knowledge he has.