Up to 50,000 WordPress Users Hit by MailPoet Malware Attack

Photo credit: Ingvar Bjork/Shutterstock.com
Photo credit: Ingvar Bjork/Shutterstock.com

Security experts are warning that tens of thousands of WordPress sites have been compromised thanks to a known vulnerability in the MailPoet plug-in, leading to mass defacements, spam and outages.

Daniel Cid, CTO and founder of Sucuri, revealed the news in a blog post on Wednesday, after spotting a spike in WordPress sites infected with malware this week. “The malware code had some bugs, it was breaking many websites, overwriting good files and appending various statements in loops at the end of files,” he explained.
“At the time of the [previous] post, the root cause of the malware injections was a bit of a mystery. After a frantic 72 hours, we are confirming that the attack vector for these compromises is the MailPoet vulnerability.”
That previous post noted that the infector’s PHP code itself contained flaws, meaning it corrupted legitimate site files – causing web pages to display PHP errors. The only way to deal with that problem is to remove the injected malware and restore the corrupted files from back-up, Sucuri said.
The MailPoet vulnerability, which Sucuri discovered at the beginning of July, allows attackers to upload any file remotely to a vulnerable website. This means they could carry out various nefarious acts such as using a victim website as a phishing lure, sending spam, hosting malware and infecting other customers on a shared server.
As there are over 1.7 million downloads of MailPoet and counting, a potentially huge number of WordPress users are at risk if they don’t upgrade to the latest version, 2.6.7, Sucuri warned.
“To be clear, the MailPoet vulnerability is the entry point, it doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website,” said Cid. “All the hacked sites were either using MailPoet or had it installed on another sites within the same shared account.”
The attacks in question always begin with cybercriminals trying to upload a malicious custom theme to the targeted site, before accessing a backdoor to gain full control.
“The Backdoor is very nasty and creates an admin user called 1001001. It also injects a backdoor code to all theme/core files,” Cid explained. “The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place.”

What’s Hot on Infosecurity Magazine?