While attacks using vulnerabilities on commonly used content management systems are a real threat to website owners not keeping up with updates, a new threat social-engineers website owners into unknowingly installing a backdoor on their webservers.
The threat, dubbed CryptoPHP by Fox-IT’s Security Research, uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. From there, operators abuse the backdoor for illegal search engine optimization, also known as black hat SEO.
Black hat SEO is a group of techniques and tactics that focus on maximizing search engine results with non-human interaction with the pages, thus violating search engine guidelines. These include keyword stuffing, invisible text, doorway pages, adding unrelated keywords to the page content or page swapping (changing the webpage entirely after it has been ranked by search engines).
“By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social-engineering site administrators into installing the included backdoor on their server,” Fox-IT said in its analysis on the attack.
After being installed on a web server, the backdoor has several options of being controlled, which include command and control (C&C) server communication, mail communication, as well as manual control. The capabilities of the CryptoPHP backdoor also include public key encryption for communication between the compromised server and the C&C; a backup mechanism in place against domain takedowns by using email communication; remote updating of the C&C server list; and the ability to update itself.
FOX-IT said that it has identified thousands of backdoored plug-ins and themes, which contained 16 versions of CryptoPHP as of early November.
“We cannot determine the exact number of affected websites but we estimate that, at least a few thousand websites are compromised by CryptoPHP,” the firm said.