Delete this vulnerable WordPress plugin, a new type of email payroll scam tries to change your bank salary deposit and police going after users of captured DDoS for hire site.
Here’s a new take on the business email compromise scam. A typical con is a criminal sends you an email pretending to be a senior official from your firm. The message asks you to transfer money to an account for business reasons. Security writer Graham Cluley says the new scam is an email sent to the human resources department pretending to be from an employee. The message asks HR to change the bank the company sends the employee’s salary to. The company may reply by email asking for a cancelled cheque or bank letter to confirm. But the criminal may counter with ‘is it OK if I just send you the transfer information?’ So companies have to be careful handling salary payment changes only by email.
WordPress is a popular web-based content management application companies can use for managing their websites. It makes it easy for people to set up a store, or a blog. You can even start with a small site for free. However, the popularity of WordPress means sites that use it are targets for hackers. One particular type of vulnerability are the plugins you can get to add capabilities to a site — like a file manager or an appointment booking calendar. Security researchers at a company called WordFence are now warning that flaws in a plugin called Total Donations is being exploited. The problem could allow an attacker to take over the site. This plugin is used by non-profits, churches or political organizations for donations. One problem is the developers of the plugin can’t be contacted, giving the impression it’s been abandoned. So the best advice for WordPress administrators using Total Donations is to delete it.
Plugins — also called extensions — are popular for a number of applications, including your Internet browser. Ad blockers, toolbars, spellcheckers, apps that help you take screen shots are just some of the common plugins. But remember: Any plugin has to be maintained by the developer for security reasons. Before downloading a plugin, see how often it gets updated, and when the last update was issued. That will give an indication of whether the developer is keeping an eye on it.
Finally, some people around the world are getting knocks on their doors, and it isn’t the mailman. Europol, the European police co-operative, said this week that cops in a number of countries are going after former users of a site called webstressor.org, which seized last April. For a small fee this site was used to launch denial of service attacks against websites and knock them offline. When police seized the site they also got hold of a list of over 150,000 users. Now police are starting to track them down. For example, recently police in the United Kingdom seized over 60 computing devices from people. There are lots of stressor sites like this offering ]’denial of service for hire.’ Often they are used by young people who get their kicks causing trouble for others. Police around the world may want to look at a program created by the Dutch police to deal with young first-time computer offenders before they get into deeper trouble by turning to theft.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon