this post was submitted on 08 Mar 2024
70 points (98.6% liked)

Technology

59742 readers
3958 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

Attackers have transformed hundreds of hacked sites running WordPress software into command-and-control servers that force visitors’ browsers to perform password-cracking attacks.

A web search for the JavaScript that performs the attack showed it was hosted on 708 sites at the time this post went live on Ars, up from 500 two days ago. Denis Sinegubko, the researcher who spotted the campaign, said at the time that he had seen thousands of visitor computers running the script, which caused them to reach out to thousands of domains in an attempt to guess the passwords of usernames with accounts on them.

Visitors unwittingly recruited

“This is how thousands of visitors across hundreds of infected websites unknowingly and simultaneously try to bruteforce thousands of other third-party WordPress sites,” Sinegubko wrote. “And since the requests come from the browsers of real visitors, you can imagine this is a challenge to filter and block such requests.”

Like the hacked websites hosting the malicious JavaScript, all the targeted domains are running the WordPress content management system. The script—just 3 kilobits in size—reaches out to an attacker-controlled getTaskURL, which in turn provides the name of a specific user on a specific WordPress site, along with 100 common passwords. When this data is fed into the browser visiting the hacked site, it attempts to log into the targeted user account using the candidate passwords. The JavaScript operates in a loop, requesting tasks from the getTaskURL reporting the results to the completeTaskURL, and then performing the steps again and again.

top 3 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 8 months ago (1 children)

See? Don't run untrusted js.

Btw, were the owners warned somehow?

[–] [email protected] 3 points 8 months ago

Maybe. In part it depends on Google. I reported a case on safebrowsing. What they did with that and how many such reports were made remains anyone's guess.

[–] [email protected] 1 points 8 months ago

This is the best summary I could come up with:


A web search for the JavaScript that performs the attack showed it was hosted on 708 sites at the time this post went live on Ars, up from 500 two days ago.

Like the hacked websites hosting the malicious JavaScript, all the targeted domains are running the WordPress content management system.

When this data is fed into the browser visiting the hacked site, it attempts to log into the targeted user account using the candidate passwords.

Roughly 0.5 percent of cases returned a 200 response code, leaving open the possibility that password guesses may have been successful.

As Sinegubko notes, the more recent campaign is significant because it leverages the computers and Internet connections of unwitting visitors who have done nothing wrong.

NoScript breaks enough sites that it’s not suitable for less experienced users, and even those with more experience often find the hassle isn’t worth the benefit.


The original article contains 609 words, the summary contains 148 words. Saved 76%. I'm a bot and I'm open source!