Log In | Subscribe | | |

InfoTech Security: phisher-men raid websites looking for WordPress installations

Publication: 
Editorial Staff
chiefofficersnet

A trawl through the access logs of ChiefOfficers.Net shows an interesting trend which appears to tie into the use of WordOress installations for phishing scams.

Readers of our sister publication BankIngInsuranceSecurities.Com will be aware that one of the most prevalent tools in the armoury of fraudsters making phishing attacks on customers of banks are insecure directories in WordPress installations, often those operated by small businesses.

One question that arises is how the fraudsters identify WordPress sites in order to exploit the insecure directory.

A routine trawl through our own access logs has provided an answer.

Bots crawl websites, including this one, looking for WordPress specific file-names or directories. That tells them there is a site that might be vulnerable.

If the file is not present, the server returns a "page not found" or "404" error.

Our logs show multiple attempts to identify the following Wordpress files / directories

/news/wp-trackback.php

/blog/wp-trackback.php

/wp-login.php

/wp/wp-trackback.php

/wordpress/wp-trackback.php

/wp-trackback.php

Of course, this site is not a WordPress installation and so the files and directories are not present.

Of unrelated - but possibly even greater concern to a wider market - are the attempts to locate the database management files (which, in our case, the bots cannot do because they are not on the same server, much less in an accessible directory) . Attempts have been made to find /myadmin/scripts/setup.php.

The fact that the attempts are persistent appears to demonstrate that the criminals attempting to access sites for nefarious purposes are simply hitting the same targets over and over again, even when they fail.

It also means that they are very likely, as BankingInsuranceSecurities.Com has reported, to locate and use legitimate sites for their criminal purposes.

hahagotcha