Security researchers have found that close to 300 WordPress websites have been defaced to display fake attack notices, in order to trick the site owners into paying 0.1 bitcoin (BTC) for restoration.
Accompanying the ransom demands were countdown timers that were added to create more panic and further arm twist the owners into paying the ransom.
The deception behind these attacks was discovered by cybersecurity firm Sucuri who was hired by one of the victims to perform incident response on the supposed attack.
As soon as they began their investigation, the researchers discovered that the websites’ pages had not been encrypted, and that the notice was fake.
Clever deception
The researchers said that the “attack” had all the hallmarks of a genuine ransomware campaign, as it seemed to suggest that the website had been encrypted. While the demand sum of 0.1 BTC was considerably less than what is demanded in typical ransomware attacks, it still comes to over $6000, which is still a considerable amount of money.
“Before panicking and paying the ransom (or completely re-building their website from scratch) thankfully some website owners hired us to take a look,” writes Sucuri, who had tackled ransomware attacks on websites earlier.
However, as soon as they looked inside the web server, they discovered that the files weren’t encrypted. Instead, the warning turned out to be a simple HTML page generated by a bogus WordPress plugin.
In addition to displaying the message and the timer, the plugin issued a simple SQL command to find any posts and pages that had the “publish” status, and changed it to “null,“ which would 404 all pages, and lend credibility to the fake attack.
The researchers however couldn’t determine if the attackers had brute forced the admin password, or had acquired the already-compromised login from the black market.
Want to build a website? Use one of these best WordPress hosting providers and build them with the help of these best WordPress website builders
