CMS-based sites under attack: The latest threats and trends

Payment card skimmers are becoming more common in exploit kits affecting WordPress websites and attackers are spending more time customizing them to avoid detection, Sucuri’s latest research report has revealed.

“Unlike most compromises we see, skimming attacks are more often targeted rather than opportunistic,” the company added, and said that they expect skimmers to play an even larger role in website infections in 2022.

Also, while payment card stealers were previously found predominantly in Magento-based sites (and less on OpenCart and PrestaShop-based ones), WooCommerce plugin users are became increasingly targeted due to its large footprint in the ecommerce landscape.

Other key findings

Sucuri’s most recent Website Threat Research Report is based on data collected and observations made by the company’s incident response and remediation team during their engagements throughout 2021, and shows ongoing trends related to threats targeting websites based on popular CMS platforms such as WordPress, Joomla, Drupal and Magento.

According to the team, roughly half of the infections of CMS-based sites were executed via vulnerable plugins, themes or extensions (i.e., not vulnerabilities in the core CMS files).

“Websites containing a recently vulnerable plugin or other extension are most likely to be caught up in malware campaigns,” they found, and warned that “even a fully updated and patched website can suddenly become vulnerable if one of the website elements has a vulnerability disclosure and action is not swiftly taken to remediate it.”

They also noted that properly securing WordPress sites can’t happen without security plugins, after lamenting the fact that WordPress administrator panels don’t provide multi-factor authentication and do not rate limit failed login attempts by default.

The researchers also concluded that:

• 60.04% of infected environments contained at least one website backdoor, the most common of which were uploaders and webshells. PHP malware is also often encountered – whether it’s payment card stealers, login stealers, injectors or redirectors
• A malicious admin user is another popular way for attackers to maintain access to compromised sites
• Website reinfections are common
• SEO spam continues unabated, but cryptomining malware on compromised websites has become rare
• 7.39% of websites contained some form of phishing content, usually phishing landing pages, more often then not created via pre-built phishing kits. The most commongly targeted credentials were for Microsoft, Netflix, and online banking.

Mitigating CMS threats and getting ahead of future trends

Owners and admins of CMS-based websites are advised to:

• Regularly update their CMS, plugins, themes and extensions or, better yet, opt for automatic updating where possible
• React quickly when vulnerabilities in the components they use are discovered and patched
• Uninstall packages that are no longer useful, especially if they have been abandoned by their authors
• Use security plugins to increase defenses (but make sure to regularly update them)
• Secure their admin panels and use unique, complex and long(er) passwords, as well as additional authentication factors if possible
• Use a web application firewall to block attack attempts

“While there is no 100% security solution for website owners, we have always advised that a defense in depth strategy be used. Laying defensive controls helps you better identify and mitigate attacks against your website. Employ any and all precautions available to you, and never rely entirely on a single solution,” they concluded.