Protect your website from a severe vulnerability in the WordPress Automatic plugin and prevent potential site takeovers. Discover a sneaky campaign using fake job interviews to distribute malware to software developers, and explore how Japanese police use fake payment cards to safeguard the elderly from online frauds.
URLs:
- arstechnica.com/security/2024/04/hackers-make-millions-of-attempts-to-exploit-wordpress-plugin-vulnerability
- bleepingcomputer.com/news/security/fake-job-interviews-target-developers-with-new-python-backdoor
- bleepingcomputer.com/news/security/japanese-police-create-fake-support-scam-payment-cards-to-warn-victims
Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/
Logo Design by https://www.zackgraber.com/
Tags:
WordPress, Hackers, Vulnerability, Automatic, Dev Popper, Python RAT, Software Developers, Fukui Police Department, Fake Payment Cards, Online Fraud
Search Phrases:
WordPress Automatic vulnerability prevention, North Korean Dev Popper tactic explanation, Protect software developers from Python RAT, Fukui Police Department fake payment cards usage, Tech support scam prevention methods, WordPress security measures against hackers, Identify and avoid Python RAT installation, Elderly fraud prevention with fake payment cards, Preventing online fraud with dummy payment cards, Japanese police anti-scam tactics through payment cards
Transcript:
apr29
?
A police department in Japan is placing fake payment cards in convenience stores to help protect the elderly from Falling victim to tech support scams.
If you’re a software developer and you’re looking for a job, then congratulations, you’re the target of a new North Korean scam called DevPopper. Which uses fake job interviews to deceive software engineers into installing a Python remote access trojan.
What are some signs you can look out for when applying for jobs?
There’s a new vulnerability in a WordPress plugin called WordPress Automatic that could allow for complete site takeover.
How can WordPress admins make sure that their sites are safe?
You’re listening to The Daily Decrypt
It is unfortunate, but the elderly are a huge target for scams online.
And we don’t necessarily need to get into the reasons for this, but attackers know this, and they tend to target the elderly little bit more than the average user
and one of the ways attackers get money is by asking their victims to go buy iTunes gift cards or another type of gift card as a form of payment. Some of the most common scams involve scammers offering to remove Trojans from the victim’s computer.
Or, they’d tell the victim that they have a late fee on one of their accounts and they need to pay it in the form of a gift card. So what this police department in Japan is doing is is they’ve created things that look like gift cards, but with the titles
” Virus or malware removal payment card” or
” Unpaid bill or late fee payment card” and they’re sitting right next to Apple iTunes gift cards. You’ve got Home Depot, whatever that little gift card section in the convenience stores. It has these as well
In the hopes that if an elderly person is being targeted for one of these scams, they’ll grab this gift card and go cash out with it. Now, convenience stores who have these gift cards, the
employees understand their purpose and have been instructed to have a conversation with whoever attempts to buy them, letting them know that they’re probably being scammed.
And Bleeping Computer reports that there’s been around 7. 5 million in financial losses in this town due to online scams such as these.
And in fact, there have been 14 complaints of investment scams in January alone with an estimated damage of 700, 000.
This is such a great example of a creative way to solve this problem, or at least attempt to solve this problem, by getting information in front of people. They could take it a step further and maybe have a QR code or a website on the back that could give them more information about this scam,
but I really appreciate the investment of this Japanese town in the safety and security of their elders. For more information on this story, please check out the show notes. articlebybleepingcomputer.
So as if it wasn’t scary enough already to enter into a job interview as a software developer, there’s a new scam going around called DevPopper with the whole goal of getting you to install a remote access trojan onto your computer. There is no job. They’re just trying to gain access to your information.
This attack involves a multi stage infection chain that begins with the candidates being asked to download and execute code from a GitHub repository at some point during the interview process.
And that could be
before the interview begins, the interviewees, quote interviewees, ask the candidate to download the software because it will be used in a technical assessment. Or even during the interview, given the prevalence of Git and GitHub or just version control in general in the software developer’s daily workflow, I could see an interviewer ask, a candidate to prove that they know how to use git by going to github and cloning a repository and interacting with it, maybe doing git fetch, checking out a branch, etc.
And personally, as a software developer, I wouldn’t find this too concerning. Because, yeah, it’s one of the top skills that you need to understand as a software developer. So, as an applicant, be careful not to download anything, even if it’s during an interview. I know it’s going to be hard to say no, but
if it is a real job, they’ll be very impressed with your security mindset. And they’ll probably move on or allow you to download a reputable GitHub repo, maybe even create your own GitHub repo in GitHub. Use your creativity to get around downloading something that you’re not familiar with.
The job application process is already a very vulnerable
avenue for
attacks. There’s a lot of personal information floating around out there on the web.
You’re more willing to give to people when you’re desperately in need of a job.
And try to think of ways you can validate the person that you’re talking to. Make sure that they have an email address from the company. Check out that domain. If it’s a recruiting company, go check out their LinkedIn. See if they’ve interacted with other people. Do a little research before you even apply for these jobs.
And always be hesitant of like, headhunters and stuff like that on LinkedIn. This attack vector is growing in popularity.
You’re never gonna believe this, but another WordPress plugin is vulnerable. There is an active vulnerability being exploited in the wild in a plugin called WordPress Automatic.. And this one’s rated 9. 9 out of 10 severity.
(How does the attack work?)
The attack will begin by using SQL injection to bypass authorization from within this app. Then the attacker, once they’ve bypassed the authorization, they can create admin level accounts, user accounts. Once the admin level user account is created, the attacker will upload its malware, Run it, do whatever they had planned for this WordPress site, probably automatically.
And then what they’ll do is they’ll go in and rename the files associated with this vulnerable plugin so that only they can exploit it.
Essentially playing a sort of King of the Hill with this WordPress site so that no other attackers can exploit it. And if you’re a listener of this podcast, on a frequent basis, you’ll know that thedailydecrypt. com is hosted on WordPress. It’s actually my first WordPress site. And security is not very good on WordPress, out of the box.
But after recording one of the previous episodes with a different WordPress plugin vulnerability, I went and checked on which users were in my account. By going to the users tab in your WordPress admin portal, and I was shocked to see 10 or 15 users
Because I’ve only created two
Well, it turns out that these users are classified as subscriber, which is the default user WordPress site, but I’ve never had an a form or any sort of entry to Subscribe to the DailyDecrypt. com
Which leads me to believe that there is some sort of way To manipulate a URL with arguments or an API call to create a user on a WordPress site, whether or not that user is a subscriber or they’re an admin.
Given the way that WordPress creates a user account for every subscriber,
there’s probably a way to to create an account that’s not a subscriber. Maybe it’s an admin. And so that’s something you want to make sure you are keeping a good eye on if you are a WordPress admin. Make sure you know exactly who the users are on your site. At all times.. This vulnerability began on March 13th of year, so a little over a month ago, and has seen over 5. 5 million exploitation attempts. The plugin is essentially used to automate certain tasks. It’ll use ChatGPT or OpenAI to create content and automatically post it. It can pull content from YouTube, it can pull content from Blogger, Instagram, all of these sites.
And it’s actually a paid subscription, so I think it’s 39 a month to use this. Which is a whole nother problem that we’re just consuming data.
automatically generated content, but we can save that for another day.
As of right now, I don’t believe a patch has been released for this vulnerability. So if you do subscribe to this plugin, perhaps disable it or remove it for the time being. I understand there’s a lot of complexities with that, especially if you’re relying on it for your content generation. But, If attackers get a hold of it, you’re not going to have that content anyways.
So I would just take a pause, take a little vacation, and just keep an eye on your users tab on your WordPress. Maybe every morning when you’re sipping your coffee, check to make sure that no users have been created.
This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don’t forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.
Leave a Reply