They are among 18 sites so far known to have been hit by a cyber-attack that steals the names and passwords of the sites' users, but does not infect their machines and leaves them entirely unaware they have been hacked.
In a 7 May blog post, security firm Zscaler's Sameer Patil and Deepen Desai said they found the attack was planting backdoor code on the sites, in order to capture the credentials of everyone logging into them and send them to a US-based attacker website, the dodgy domain “conyouse.com”.
Known victims include the Glasgow Contemporary Choir (glasgowcontemporarychoir.com) who attract singers from across the city to perform popular music, and Blissfields (blissfields.co.uk), which is currently selling tickets for a two-day music festival in July near Winchester.
Among the other infected sites across the UK and globally is technograte.com, a news site for ‘geeks' covering technology, gadgets and cloud computing.
Michael Sutton, Zscaler VP of security research, told SCMagazineUK.com: “This is a unique WordPress attack that we have not seen in the past. We realised that instead of infecting machines, it was solely stealing their credentials.
“The end user would not have any indication that they'd been attacked, there's nothing on their side that's been compromised. They would be very much blind to the fact that they've just had their credential stolen.”
Zscaler still does not know which vulnerability is being used in the attack. “We see the injected code, we don't know what exploit was leveraged to get that there,” Sutton said.
But its findings add to the catalogue of vulnerabilities and attacks suffered by sites using the WordPress content management system - including last week's revelation by Sucuri of a cross-site scripting (XSS) flaw in the WordPress genericons package, affecting millions of WordPress installs.
The latest attack raises the question as to why cyber-criminals would target users of such inoffensive sites with no clear commercial value. Sutton believes it is part of an ongoing ‘credentials-stuffing' campaign.
He told SC: “Because of the nature of the sites I highly doubt the attackers were after the credentials to compromise that site. I suspect it's a credential-stuffing attack – they are banking on the fact that people re-use passwords and so they're just going to keep this running, gather as many authentication credentials as they can from anybody that goes to these sites, then try to log in at popular sites that they do care about – and very often those attacks are successful because people only have one set of credentials or a handful, and just re-use them.”
He warned CISOs: “This should be a concern for corporations because you have no way of knowing the password that your employee selected isn't the same as the one they've used on a hundred other public websites, any one of which could be compromised - and that's a great argument for two-factor authentication.”
Sutton advised users: “This is a perfect advertisement for ‘do not re-use your passwords'. You don't control the back-end of the site you've just handed your credentials to. That could get compromised at any time. The best defence is to have a unique set of credentials at every site.”
Analysing Zscaler's findings, security expert Luke Potter, operations manager at specialist SureCloud, told SC via email: “Because WordPress is such a popular platform for businesses, group websites and blogs, it will inevitably be targeted by hackers looking to exploit any vulnerabilities in it or its ecosystem of plug-ins.
“Whilst the exact underlying vulnerability is not yet clear, It seems likely the attackers are deliberately targeting small-scale WordPress sites that may not have the latest patches applied as the first stage of an attack. As well as launching larger attacks it is also possible that these sites may hold personal and even payment details.”
Potter advised: “It's critical that individuals and organisations keep their WordPress site software updated, are aware of any plug-ins they use on their site and ensure they download the latest versions, to close off any potential weaknesses.”
The Zscaler researchers echoed this: “While the initial vector behind the compromise of the sites is unclear, it is extremely important for site administrators to keep their WordPress sites patched with latest security updates,” they said.
The most recent compromised WordPress versions they found are 4.1.5 and 4.2.2.