Cybercriminals are using compromised WordPress websites to create a huge army for credential stuffing attacks, experts warn.
A report from cybersecurity researchers Sucuri has noticed the campaign and thinks they know what its purpose is: namely to look for vulnerable sites of the website builder, where they can install a small script in the HTML templates. That script forces the website visitor’s computer to visit (in the background, unbeknownst to the victim) another WordPress website and attempt to log in with different username and password combinations.
Once the victim has cracked the login code, they would, still unknowingly, send that information back to the attackers and receive further instructions (another website to crack).
Building a base
Citing information from the HTML source code search engine, PublicHTML, BleepingComputer reported that there are currently more than 1,700 websites hosting this script, “creating a huge pool of users who will unknowingly be recruited into this distributed brute force army.” Among the victims, the publication further reports, is the website of Ecuador’s Association of Private Banks.
Sucuri says it has tracked this threat actor in the past. Until now, the group used the same technique for a different purpose: installing the AngelDrainer malware. AngelDrainer is a piece of code that, as the name suggests, ‘drains’ all the money a victim has in their cryptocurrency wallet. To do that, the victim must connect their wallet (like the MetaMask wallet, for example) to a crypto service. The group even built their own fake Web3 websites to get people to link their wallets.
The researchers aren’t sure why the group decided to focus on credential stuffing. One explanation is that they build a larger base of compromised sites that can then be used to launch more destructive attacks, such as wallet-draining campaigns.
“Most likely they realized that at the size of the infection (~1000 compromised sites) the crypto drainers are not yet very profitable,” Sucuri concluded.
“Plus, they attract too much attention and their domains get blocked quite quickly. So it seems reasonable to change the payload with something more stealthy, which at the same time can help increase their portfolio of compromised sites for future waves of infections they will encounter.” be able to make money somehow.”