Anatomy of a phish - a "generic mass targeted attack" against WordPress admins

Filed Under: Featured, Phishing

Naked Security reader Lisa Goodlin is a website designer and a WordPress user.

That's not exactly a secret.

If you happen to visit one of the sites she looks after, you'll probably see her name and a link to her own website discreetly placed at the bottom of every page, as I've done on this site I made up to use as an example:

And why not?

It's not just handy for Lisa as a spot of advertising, it's handy for anyone who spots a problem with the site and wants to report it.

So that tells you she's a web designer; finding out that she's probably also a WordPress user (aside from the fact that it's a good guess, being a very popular content management system for blogs and web servers) is similarly easy.

Just try adding /wp-admin to the website's fully qualified domain name, and see if you end up redirected to a WordPress login page, something like this:

Once you get this far, you can be pretty sure that:

  1. is a working address that will reach someone in the business of caring for websites.
  2. luresite.example is one of's customers.
  3. Sending emails to (1) about WordPress issues on site (2) would not be entirely out of the ordinary.

And that's exactly what phishers did to Lisa, in what I like to call a "generic mass targeted attack."

We'll assume that they don't know Lisa from a bar of soap, and that they aren't targeting her because she's Lisa Goodlin. (Sorry, Lisa: I don't mean to imply you are unimportant!)

They're targeting Lisa simply because their web crawler identified her business as a website design company that uses WordPress.

That gives them a way to phish her more believably than just hitting her up randomly, out of the blue.

What happens next

The phishers' rogue back end server is surprisingly simple.

On a compromised web server belonging to an innocent third party, the crooks have set up some PHP scripts that simulate a wp-admin login page.

Visiting a realistic looking URL like this (don't bother trying it: is an IP range reserved for documentation only):

produces a realistic looking login screen like this, tailored with the text luresite.example:

Of course, it should be obvious that something is wrong, not least because the domain luresite.example looks familiar but the starting domain,, does not.

Nevertheless, if you're in a hurry, or just trying to tidy up a few loose ends for your customers before bedtime, you might not look carefully enough at the URL, and instead rely on two other factors:

  • The presence of the text luresite.example, which lends familiarity because it's your customer.
  • The look and feel of the login screen, which is visually correct because it's ripped off from WordPress.

If you fall for the phish, the username and password you enter are sent to the crooks, not to the luresite.example server.

Casting the bait

The next step the phishers need to take is to persuade you to click through to the login page.

And what better way of attracting a WordPress user's attention than by means of a notification about a pending website comment?

Any switched-on web site operator who has enabled comments on a customer's site will be putting regular and frequent effort into keeping the comments flowing: it's a great way to attract and build an online community, and it's fun, too.

Using comment bait is exactly what Lisa's phishers did; fortunately, their creativity and attention to detail fell apart at this point, and she received an email like this:

It was for amusement rather than pedagogic value that Lisa sent the phish to us - as she herself put it, "'Sing in'! Yes, let's all get together and sing Kumbayah!"

But it wouldn't take much effort for the crooks to produce something significantly more believable.

What to do?

You probably frequently see emails that are obviously bogus but which nevertheless make you think, "However did they know that?"

It might be a DHL scam just after you make an online purchase from a company that uses DHL, or a promised tax refund soon after you submit your annual return, or (as in this case) an email that happens to match both your content management system and your customer.

Whenever this happens, I suggest you actually stop and take the time to answer.

Treat the rhetorical question literally and you'll quickly realise that there are often many ways that "they could have known."

In Lisa's case, it was simply that her domain name was listed on a website that happens to use WordPress.

Here are some other steps you can take:

  • Don't use login links provided in emails. It's too easy to make a mistake.
  • Consider managing your customers' websites from inside their networks via a full-blown Virtual Private Network (VPN), so you don't need to leave the website administration portal visible to the world.
  • Consider using two factor authentication for remote logins, so that your password alone isn't enough for the crooks.
  • Remember that "Sing ins" are for church choirs and choral societies, not for WordPress administrators.

More about two factor authentication

By the way, for a discussion of how two factor authentication helps protect you in cases of this sort, you might like to listen to this Techknow podcast:

(15 April 2013, duration 16'25", size 9.9MBytes)

, ,

You might like

13 Responses to Anatomy of a phish - a "generic mass targeted attack" against WordPress admins

  1. Jenny · 725 days ago

    I see it all the time with Paypal and Ebay.....

  2. Alok Yadav · 725 days ago

    i always remove redirect string , and better option jetpack now have option to connect with account . its best way to login and have two factor auth

  3. Sergio González · 724 days ago

    What begins bad ends worse: Lisa didn't even care about a certificate alarm rising on the browser or she just logged in using HTTP.

    • Paul Ducklin · 724 days ago

      Er, she didn't get that far. She didn't "Sing in" at all. So there was no bad or worse in her story.

      Also, the WordPress logon screen itself is often not served with HTTPS. The encryption is negotiated only when you actually submit your login. I don't like that, but lots of sites do it.

      Lastly, remember that the crooks "own" the server that is serving up the fake login screen. Assuming that server supports HTTPS, the crooks can use HTTP or HTTPS as they choose...and let the legitimate site do the digital signatures with its own private key.

      So HTTPS, or the lack of it, is sort of red herring here, since if you are going to miss the domain mismatch in the URL, you are unlikely to worry or even to check the owner of any certificate that gets used...

  4. Nigel · 724 days ago

    I used to find those phish-mails amusing. But now they're so plentiful and so pathetically unimaginative that they're just plain boring. So, I just open OS X's Mail app (which is otherwise unusable for me because it doesn't honor message receipt requests) and use it for the one feature that makes it useful: "Bounce message".

  5. Bouncing a message doesn't work anyway since a lot of spam/scam email messages use fake headers in their emails.

  6. A blogger and wordpress user like me does not have detailed security knowledge about the CMS. However, i make sure i have installed wordpress security plugin.

    • markstockley · 723 days ago

      My recommendation for non-technical users is, if you do nothing else, make sure you always run the very latest version of WordPress and install 2 factor authentication.

  7. When I used Apple's Mail to sync all my email accounts, it actually downloaded attachments in unopened mail to the Mail's folder on the hard drive and then Sophos warning bells went off.

  8. KenC · 722 days ago

    A couple things that would prevent this from being utilized: 1) I always - and I mean ALWAYS - double check the links in an email before I click on them. 2) I use password software on my main computer that takes me to the page where I can login and automatically fills in my username and password.

  9. Would SPF/DKIM help here for mail sources where you provisioned the hosting yourself? Then again, how many people actually run a DKIM verifier addon in their mail client(s) and how many such addons automatically disable links until you review the warning (as many spam identifiers do)?

    • Paul Ducklin · 719 days ago

      One problem in this case - which is where the crooks are using server X to present visual material that looks to be from domain Y, is that you can't be sure how completely they've "pwned" server X.

      If they've got control as good as the local admin, then any cryptographic signatures they present will probably look 100% kosher for server X (in other words, don't just "borrow" the internet connection, the web server and the PHP engine; "borrow" the server's DKIM and SSL private keys, too).

      So if server X is configured to send email that is DKIM-signed to say it's from server X, then the crooks' emails will be signed, and if the server has an HTTPS key signed by a trusted certifier, then the crooks' HTTPS traffic will be accepted by your browser...

      Of course, the URL should be enough of a warning here - why is unknown domain X providing the login page for customer domain Y?

  10. Awesome article, I am a big believer in placing comments on blogs to inform the blog writers know that they have added something useful to the world wide web!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog