It’s easy to get lulled into a false sense of security when visiting a website you know – “I navigated directly to xyz.com so I know this isn’t a spoofed site. Surfing here, even downloading things from this site is safe.”
As the old Gershwin song goes, “It Ain’t Necessarily So.”
Dangers from Legitimate Sites
There are a couple of reasons why a recognized site is not necessarily safe. For one thing, there’s “URL spoofing,” a type of hacking that typically exploits bugs in web browsers that will allow a fake site to appear to use the URL of a legitimate site.
But even if you are on the legitimate xyz.com, it’s possible that their website was hacked and they don’t know it yet. WordPress sites are particularly vulnerable to this type of attack, and both internet users and administrators for WordPress sites need to be conscious of the problem and take protective measures.
eSentire, a cybersecurity company, has reported seeing dozens of legitimate WordPress sites that were compromised by Gootloader, a malicious downloader first identified as such by another cybersecurity firm, Sophos. Gootloader has been used to install ransomware, intrusion tools, and bank trojans.
Gootloader has also been used to facilitate “watering hole” attacks. Just like lions waiting to pick off prey at a watering hole, watering hole attacks are based on attacking users when they visit a particular site. They combine hacking into the website with redirecting high value users to the website through a campaign of search engine “disoptimization” – achieving high ranks for particular searches to lead users to an infected page.
The exact mechanism Gootloader uses to infect WordPress sites isn’t yet clear – it could come from a compromise in older versions of WordPress itself, or it could come through an infected plug-in, or compromised login credentials. Once Gootloader has taken control of the site, the hackers can insert their own content, in some cases hundreds of pages.
In one example, cybercriminals hacked the web site of a neonatal medical practice in Canada. They injected a bunch of content having to do with real estate transactions – something far removed from what the business actually does, which is to deliver babies. They managed to rank high in organic search for a very specific type of real estate transaction. Someone searching for this type of transaction finds the result on the hacked website, which Google reports has been around for years. The user clicks through and is brought to a fake message board, where it looks like his question has been answered. He downloads the offered document – and in the process infects his computer with the malware. The malware avoids writing files, which would make it easier to detect. Instead, it typically writes something to Windows Registry files.
Gootloader has also been observed on sites in German, French, and Korean.
With 27 million live websites, WordPress is the most popular content management system and is used for major websites such as BBC America, Sony Music, Microsoft News, and TechCrunch.
There are two important ways users can protect themselves from legitimate, but hacked websites.
- Be wary. Many of the hacked sites and responses have somewhat awkward phrasing in how things are worded, which should set off warning bells not to click that link or download that file. Notice disconnects, like real estate-related content on a site for a neonatal medical practice.
- Use Remote Browser Isolation (RBI). Ericom Shield RBI provides a safe browsing experience by opening web traffic in single use container isolated in the cloud. On their regular browser, the user interacts with safe rendering data, not active code from the site, which never reaches the endpoint. Any malware on the site – including malicious downloaders – remains in the isolated container, which is destroyed at the end of the session. It can never reach the user’s device or company’s network, and certainly not infect it.
Website owners, including those with WordPress sites, should also take some key precautions:
- Require strong passwords, and better, multi-factor authorization, for any administrators, contributors, or editors of the website.
- Keep all software and plug-ins up to date.
- Watch your site carefully for any strange activity or unauthorized pages.
- Use Ericom Shield to “air gap” your site from potential attackers. Just as RBI protects users from malicious code by rendering sites away from endpoints, it can protect your website by cloaking attack surfaces, so users can’t exploit – or even see — web page code or exposed APIs.
Users must be alert to web-based threats even when visiting a legitimate site, since even legitimate websites can be hacked and get loaded with malware. To learn more about Remote Browser Isolation, download our Browsers are the Target white paper.