Reports suggest, fake plugin names like “initiatorseo” or “updrat123” were used by hackers to gain and maintain backdoor access with compromised websites. It was observed that the internal code of these fake plugins differs from each other, but they possess a similar structure and header comments from the popular backup/restore plugin UpdraftPlus. The researchers stated that, “The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23, 2019.”

These fake plugins are created easily by hackers with the help of readily available resources or by adding corrupted web shells into the source code of the original plugin. The reason why these fake WordPress plugins remain hidden to the user’s plain sight is because they do not affect a user’s (WordPress) Dashboard unless they are using browsers with specific User-Agent strings. The attack on a website is carried out by these plugins once they establish a backdoor entry. Hackers are intimated about the servers’ GET request, to which they respond with a POST request consisting of infected files. These malicious files or web shells are then infused in the websites’ root directories. Researchers also mentioned that, “compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or crypto mining.

An earlier independent study done by WPScan stated that WordPress plugins are the biggest source of vulnerabilities and data breaches in WordPress. It accounts to 54 percent of the global WordPress vulnerabilities count.

The post WordPress Websites Infected with Fake Plugins appeared first on CISO MAG | Cyber Security Magazine.