Recently, David Gaff — the Director of Global Product Policy at Google — posted an announcement on Google's ad blog that there is going to be a serious reworking of how Google processes tech support ads.
Since tech support ads are notoriously scammy, and Google has a tough time telling what's real and what's not, Google is going to start penalizing websites that run fake tech support ads, while simultaneously buffing their ad security to prevent phony tech companies from purchasing ad space.
If you're not aware of tech support ad scams, they work like this. A little box will pop-up and tell you that you have a horrible virus and you need to click here to get rid of it. Then, you will be brought to a website that either:
- Injects your site with Malware (like Coinhive)
- Tries to get you to pay for fake tech support
- Gives you a blackmail virus (such as the FBI Moneypack virus)
Obviously, none of those are good things to have, so Google's trying their best to get rid of them. So, what do all of these hackers that have been using fake tech support ads do in the wake of this news?
They hack into thousands of WordPress websites using obvious cracks in WordPress's security to inject thousands of sites with tech support ads in order to avoid detection. Here we go again.
The Source
This newest wave of WordPress hacks involves hackers injecting tech support ads into unsuspecting WordPress websites. So, when users visit these websites they will see tech support ads that will redirect them to viruses or money scams.
The exact source of the vulnerability isn't entirely clear. Of course, this is partially to do with the fact that WordPress has some +11,000 vulnerabilities (including plugins and themes,) and part of it is that there are simply too many websites that are currently getting hacked.
Some sources point the start of this particular wave of hacks to early September, but no one is sure how long these hacks have been going on.
One thing that we are entirely sure of is that there are a ton of WordPress websites getting hacked right now.
As it currently stands, Sucuri and Malwarebytes are both pointing the finger at plugins. Now, you may be thinking: "Ok, so don't download any sketchy 3rd party plugins!"
Well, we're going to have to stop you right there. One of the primary vectors of current hacks is coming from the Duplicated plugin (+10 million downloads) and WordPress's PHP issues that are (as always) ongoing. How hackers are getting in is basically impossible to tell given the current state of WordPress's security. There are too many vulnerabilities, and even Sucuri (the WordPress praisers) are confused as to which vector hackers are using.
The Injection
Once hackers pick-and-choose their vulnerability, they are going in and injecting malicious javascript code that redirects users to these spammy and scammy tech support ads.
Some website owners have been able to identify this javascript code in their wp_posts table (the hackers aren't hiding it well.) On the client side, there is typically a blurb on the HTML headers tag, which is one of the main ways that security companies are identifying infected websites.
Par usual, the actual ads that are displaying are definitely malicious. Not only are they leading to virus-ridden websites and downloads, but they are also using the "evil cursor" so that you can't even click off of the ad.
Infected websites will find their users pushed onto scam sites and forced to download malicious material. Some users may even be scammed out of money if they see the tech support ad to be legitimate.
What to Do If You've Been Hacked?
If your website is among the thousands and thousands of WordPress websites that have been subject to this wave of attacks, things may look bleak.
Some users are reporting that the injected files are still there even after a reinstall, which is a serious issue. Tons of users have stated that their entire server being overtaken, and, since the exact attack vector is unknown, it could be an internal WordPress vulnerability — which WordPress will never admit.
Here are just a few steps you can take if you've been hacked.
-
Keep your themes and plugins up to date.
-
Keep the core WordPress files up to date.
-
Use strong passwords.
-
Implement two factor authentication.
-
Restrict access to the admin area.
-
Use secure ftp.
-
Use https on your site.
-
Prevent brute force attacks by limiting login attempts.
-
Learn how to use .htaccess configuration files to improve the security settings on your site.
-
Disable XML-RPC in WordPress; or better yet.......
-
Use a CMS with a strong and proactive security stance.
The Damage
Once your website is hacked, you'll want to know what kind of damage was done.
These tech support scammers will redirect users to Coinhive programs, force them to download nasty viruses, steal users personal information, mimic legitimate businesses to scam money off of users, or even geolocation scams that redirect your user and fraud the actual advertiser.
These hacks are getting more and more severe as the world pushes towards financial punishments for leaked data. If you run a business, you will need to inform your customers immediately post-hack.
You may also suffer de-ranking if Google scraped your website and figured out that it contained malware.
The end result could be massive damages to your business. There's a reason that 60% of small businesses go "out of business" within six months of a cyber attack — they're no joke.
This recent wave of attacks highlights two critical issues. First, WordPress is riddled with vulnerabilities. Even the top security companies that push WordPress as the be-all-end-all (because they make their living off of WordPress) of CMS solutions are unable to pinpoint which of the thousands of vulnerabilities that hackers are using to infect websites with this wave of hacks.
Secondly, hacks are getting more and more damaging for business owners. WordPress seems to be completely unable to prevent businesses from getting hacked. These aren't even well-strategized phishing campaigns; they're just spammy hackers that want to make a quick buck off of an unsuspecting person.
Remember, getting hacked can sink your business. Do you really want to rely on a CMS that has a history of hacks, and one that seems to be in the news every other week for issues regarding cyber security? If not, give QuickSilk a look.