Numerous security researchers exposed many thousands of backdoored plug ins as well as the themes for the well-liked content management systems (CMS) that may be utilized by attackers to cooperate with web servers in a big scale.
The security firm Fox-IT that is based in Netherlands has printed a whitepaper that reveals a novel Backdoor called “CryptoPHP”. Security researchers were able to discover spiteful plug ins and ideas for Joomla, WorPress and Drupal. On the other hand, there’s a little relief for users of Drupal since only themes have been discovered to be contaminated from CryptoPHP backdoor.
Miscreants utilize a simple trick of social engineering just to abuse site administrators. They frequently attract website administrator in downloading pirated edition of saleable CMS plug ins as well as themes free of charge. After downloading, the hateful theme or plug ins incorporated set up the administrator’s server.
Fox-IT stated it its study regarding the attack that “By publishing pirated themes and pug ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social-engineering site administrators into installing the included backdoor on their server.”
Once the backdoor has been installed in web server, it could be controlled by any cyber unlawful people using diverse options like command and control server (C&C) communications, email as well as manual control.
The following are the other potentials of CryptoPHP backdoor:
- Incorporation into well-liked content management system such as Joomla, Drupal and WordPress.
- Public key encryption intended for communication amid the cooperative server and the command and control (C2) server.
- Physical control of the backdoor beneath the C2 communications.
- Backup system installed against C2 domains take downs through email communications.
- A wide communications in terms of IP’s and C2 domains.
- Distant updating of the listing of C2 servers.
- Capability to update itself.
Once installed on a web server, the backdoor can be controlled by cyber criminal using various options such as command and control server (C&C) communication, email communication and manual control as well.
Miscreants are utilizing CryptoPHP backdoor on websites that are compromised and web servers for unlawful Search Engine Optimization (SEO), which is known also as Black Hat SEO, as stated by researchers in their report. This is due to the fact that compromised websites connection to the websites of attackers appears on top in the results of search engines.
Black Hat SEO is a technique used on maximizing the search engine results without human interaction within the pages, which also violates the guidelines of the search engines. This technique includes doorway pages, keyword stuffing, adding unrelated keywords, invisible text, and page swapping.
The security company has discovered 16 variants of CryptoPHP Backdoor on thousands of backdoored plugins and themes as of 12th November 2014. First version of the backdoor was appeared on the 25th of September 2013. The exact number of websites affected by the backdoor is undetermined, but the company estimate that at least a few thousand websites or possibly more are compromised.