Plugins are supposed to make your life—and website management—easier, but can they also allow for vulnerabilities? In early March 2015, a series of weekend cyberattacks took place and the hackers claimed to have ISIS ties. More than 12 sites were overtaken and defaced, and the attack was similar to the US Central Command and other US media outlet attacks in January, which was claimed by Cyber Caliphate. However, the Canadian Royal Mounted Police (CRMP), FBI and Department of Homeland Security have announced that they don’t believe there are any real ISIS connections. Of course, that doesn’t make the attacks any less frustrating, especially now that it’s rumored a WordPress plugin was the weak link.
Thus far, the strongest connection between the January and March attacks is that the breached sites were all on WordPress platforms. However, that shouldn’t be too surprising since WordPress is one of the most popular and often-used website building and management platforms available. It’s open source and easy to use, but WHIR has discovered that two hacks (at a minimum) happened on a site that featured FancyBox plugin. So far, it’s not clear if that particular plugin was used to be hacked, but it may be more than just a coincidence.
Vulnerable Points of Entry
According to NCB, a number of the sites such as the Dublin Rape Crisis Center (DRCC) report the issue as “a WordPress plugin.” When WHIR reached out to DRCC, the DRCC reported that they’re just a small non-profit organization and there’s no room in the budget for a serious IT department or even outsourcing. Like many small organizations and charities, a volunteer manages the site. “We contacted Blacknight when this happened last Sunday and they were quick to respond with support. I also heard via Twitter that other WordPress-based sites had experienced this and it was down to a particular plugin,” says a DRCC spokesperson.
The IT volunteer at DRCC says the FancyBox plugin was indeed used for hackers to get into the site. Once the volunteer pinpointed the vulnerability, the code was closely examined and he could see where “malicious code” was being filtered in. In the US, a Montana credit union was also hacked and the manager of the branch says the breach “was caused by a weakness in FancyBox.” FancyBox features a type of jQuery that is used in a few other WordPress plugins, but so far it seems those plugins remain secure. The creators/owners of fancybox.net has thus far not commented.
A Secure Site?
The relatively good news is that security agencies say the ISIS name is just being used to get more attention. Plus, according to tech experts at Area43.net, “The Eldora Speedway site and two other sites using WordPress were ‘hacked by ISIS’, and all three sites were using the Fancybox plugin,” but that vulnerability can be fixed with a simple software update. Area43 also reports that a number of the hacked sites have chosen to just remove the plugin entirely, and some have even taken down their sites (hopefully to reboot and go live again soon).
“Bank or credit union websites may have 20 or 30 plugins in use, all written by different authors and all adding different functionalities,” says Area43. It’s important to bear in mind that security isn’t always the top priority of a plugin designer—and even if it is, it can be rendered useless if website managers don’t stay on top of software updates.