Experts have warned that cybercriminals are using compromised WordPress websites to form a huge army of credential stuffing attacks.
A report from cybersecurity researchers Sucuri detected the campaign and they believe they know what its goal is: to search for vulnerable sites from the website builder, where they can install a small script in the HTML templates. That script forces the website visitor's computer to visit a different WordPress website (in the background, without the victim knowing) and try to log in using different username and password combinations.
Once the victim cracks the login code, they will still unknowingly transmit that information to the attackers and receive further instructions (another website to crack).
Building a foundation
Citing information from the HTML source code search engine, PublicHTML, beepcomputer reported that there are currently over 1,700 websites hosting this script, “providing a massive pool of users who will unknowingly be recruited into this brute force distributed army.” Among the victims, according to the publication, is the website of the Association of Private Banks of Ecuador.
Sucuri says it has been tracking this threat actor in the past. Until now, the group used the same technique for a different purpose: to install the AngelDrainer malware. AngelDrainer is a snippet of code that, as the name suggests, “drains” all funds a victim may have in their cryptocurrency wallets. To do this, the victim needs to connect their wallet (like the MetaMask wallet, for example) to an encryption service. The group even created their own fake Web3 websites for people to connect their wallets.
Investigators aren't sure why the group decided to move to credential stuffing. One explanation is that they are building a larger base of compromised sites that can then be used to launch more destructive attacks, such as wallet-emptying campaigns.
“They most likely realized that at their scale of infection (~1000 compromised sites), cryptocurrency drainers are still not very profitable,” Sucuri concluded.
“In addition, they attract too much attention and their domains get blocked quite quickly. Therefore, it seems reasonable to change the payload to something more stealthy, which at the same time can help increase your portfolio of compromised sites for future waves of infections that will occur.” be able to monetize in one way or another.”