Hackers Hijack Fancybox Plugin to Deface WordPress Sites with ISIS Propaganda

isis-hack

Last month a vulnerability was discovered in the Fancybox for WordPress plugin, making it possible for a hacker to inject an iframe into the website without needing administrator access. Although the issue was promptly patched, a string of seemingly random WordPress websites were recently compromised using this vulnerability.

Hackers claiming to be acting on behalf of ISIS exploited Fancybox to deface the websites with propaganda for the terrorist group. Credit Union Journal reports that a Montana credit union website was attacked using the Fancybox plugin as the entry point.

Area43.net examined the cached Google source code for several other hacked sites and reported that both Eldoraspeedway.com and Montgomeryinn.com have since removed the Fancybox for WordPress plugin.

In order to deface the websites, the suspected ISIS hackers likely scanned for sites that have not updated the Fancybox for WordPress plugin, as the sites bear no other commonalities apart from using WordPress. Many major news outlets with no understanding of WordPress’ plugin system have wrongly attributed the security flaw to WordPress itself.

Fancybox for WordPress is currently active on more than 100,000 sites, but stats on WordPress.org do not break down how many of those are using a version older than the patched update issued in February. According to Samuel “Otto” Wood, WordPress.org pushed out a forced update for the Fancybox plugin vulnerability, although it wasn’t widely reported.

What is it going to take for WordPress site administrators to keep their plugins updated? If you’re not comfortable updating WordPress plugins yourself, then you need to be on a maintenance plan with a development company to keep your software updated and secure.

While many developers are not too keen on the possibility of WordPress someday adopting automatic updates for core, plugins, and themes by default, your average website owner would probably prefer it over would-be ISIS hackers exploiting the simplest of vulnerabilities to deface their websites.

14 Comments


  1. Can I talk about WordPress consultants for a moment?

    At a marketing meetup in my area, there’s a rash of folks that sell WordPress website creation as a service. Folks that tell me, they “slap some themes together from TF and plugins.” So, when I say rash, I mean I literally break out in one when I hear how they operate their business.

    For example, this defacing happened to a consultant I was talking to. She told me that the client refused to pay for the $18 upgrade to keep the patches coming. The result was the defacing. Of course a business owner is going to say no to a cost they don’t understand. It’s not their fault, it’s the consultant’s fault.

    If you’re consulting with a client on a monthly retainer and you are responsible for their core website technology AND you’re not working these license upgrade fees into your monthly nut — you are doing it wrong.

    If you tell me your monthly retainer can’t take the impact of premium plugin renewals that you installed and continue to use for your client — you are doing it wrong.

    If you cannot position the cost of annual software fees properly to a business owner — you’re probably positioning WordPress wrong and really doing it wrong.

    Report


  2. Its good news. More outdated and un-maintained websites will be hacked, sooner will majority of users know, that outdated or junky plugins/themes are not the way how to build website.
    These type of attacks just make our place better for long term …

    Report


  3. While many developers are not too keen on the possibility of WordPress someday adopting automatic updates for core, plugins, and themes by default, your average website owner would probably probably prefer it over would-be ISIS hackers exploiting the simplest of vulnerabilities to deface their websites.

    Although a forced update program will be able to reduce the prevalence of certain categories of vulnerabilities, old plugins and WP installs are a small part of the security picture.

    Firefox went this route, and we certainly hope its user-ship curves aren’t a harbinger of WordPress’ trajectory.

    Security is so many different things, it has to be an automatic points-deduction to hold forth that any update program will have much effect. The security of a perfectly updated cyber-world would be minimally distinguishable from today’s status.

    In view of these considerations, it seems the purpose of the update-push is not security (which it can’t promote overall), but about other goals which we think won’t be as acceptable as … helping address ISIS aggression.

    It will be interesting to see if the forensics can determine whether ISIS was involved, or whether it could have been some unrelated party.

    Personally, I’ve been an update-fan since the very days (and I recommend it to everybody). I check for updates the way we used to handle dairy cows and farm animals; feed & tend them first, then go have your own breakfast. Then I went in the military, and added their duty & morals ideas. ;)

    No, my concern isn’t that a high-handed update regime is going to deprive me of some intangible, or crash my little empire. No, my concern is that WordPress is seeking to alter its identity in ways that will make it less suitable for the roles that I value.

    Report


    1. Love the farm analogy Ted, gonna work that into my marketing somehow.. :)

      Report


  4. I was against automated updates for plugins too, but now I think that it’s due. I hope that when WordPress core developers start working on this, they will be open to discussion, so that we can work out together how to allow themes and plugins, both from wordpress.org and outside to get automated security updates.

    If we are not careful, the automated update will backfire on us and people will just disable it globally. We need to be able to mark security updates separately, so that they are auto-updated always, while allowing clients to skip versions which may require them to do any kind of manual work.

    Report


    1. you could you know, take 60 seconds to check your website to see for updates whenever you wake up in the morning or get to work. tada

      Report


      1. That is not an option for anyone that runs any sort of even small business. Checking hundreds of sites takes a lot of time.

        We have set all our sites to automatically update all plugins automatically. I think of the few hundred sites that are auto updating over the past year maybe 1 has had a minor problem.

        I FULLY support automatic updates of plugins, themes not so much. So many people don’t modify themes correctly to support updating at all. I see this on an almost daily basis.

        Report


      2. You should use a system like ManageWP, InfiniteWP, MainWP, etc. I use the last one to get all the sites controlled.

        Report


  5. I go almost every day online and check for updates. It takes me 5 minutes to check and update about 12 sites.

    I then go to clients’s websites and update.

    That is how I keep my sites secure

    When I need feature fgh, I check the choice of plugins that can do fgh and I look for the one that has been updates the soonest. I don’t download plugins that have been upated 6 months or oldere. I prefer plugins with last update within a month.

    Report


  6. In a free world, hacks and cracks will always exist, just like physical break-ins and vandalism will always exist. A system can never be fully secure, but there are lots of guides one can follow to avoid being low hanging fruit.

    For a WordPress site, one thing could be, yes, keeping plugins updated. While in general I am a fan of auto-updates and the technology behind, I also oppose it – especially in this time. Centralized systems are very popular in the “hacker communities” (or what they are called), and breaching one would cause major harm. What happens if the auto-update system on wordpress.org is breached? What data does wordpress.org save about websites? When wordpress.org can target very specific websites to be updated, are logs kept about when, where to and what was pushed?
    If these questions are already answered somewhere, please show me as I am all in for transparency in that area.

    The positive aspects of auto-updates and regular pings wordpress.org do outweigh the negative, but simply stating that auto-updates being turned on for everything will keep a site secure is naive. Let’s not turn this fantastic piece of technology into a monster. Education and collaboration are much more important than forced updates.

    Report

Comments are closed.