The Hacker News Logo
Subscribe to Newsletter

15000 Wordpress blogs hacked for making money from Survey

Wordpress Security Team is sending out warning messages to thousands of wordpress users that their account has been compromised recently. Warning message include "We recently detected suspicious activity on your WordPress.com account. To protect your identity and keep your site safe, we’ve reset your password."

Message continue "To reset your password and get access to your account and blog, please visit WordPress.com. Click on “Forgot password?” in the Login toolbar to get started. It is very important that your password be unique because using the same password across different web applications increases the risk of your account being hacked."

Note: Wordpress officially has not announce yet any security breach news on their website, but these warning mails are silently received by compromised account holders. Method of hack is still not confirmed. But hacking 15000 blogs from wordpress server and posting same article on all sites most obvious can't be a client side hack. Either wordpress servers has been compromised or a 3rd party WordPress API service server has been compromised where all these 15000 users account can be clients.

Few hours ago I got mail from one of the 'The Hacker News' Reader that his wordpress blog (https://h4ck3r4life.wordpress.com/) has been compromised and he got same wordpress warning via email .When he login to his wordpress admin panel, he saw that - Hacker post an article, title - "Im getting paid!" with an Image as article body shown below. Image hyperlink it to a survey site - http://surveyryphic.com/?=38823. This was a *.wordpress.com free blog.



On further search I found that, its not only his blog that had been compromised but also there are other 15000 more wordpress users who can see this spam article i.e "Im getting paid!" on their blogs. I just use google search to find out the number of compromised blog, using dork -- site:wordpress.com "Im getting paid!" , and we got around a list of 15200 and more blogs that have same article with same image and Referal link to fake survey site.

I have also mark the day of post in above screenshot, its "1 DAY AGO" from writing of this article by me. Next, if we go to survey site, there is a signup page, if you want to become rich :P (obviously a greedy strategy to attract visitors).

But I ignore and sign up using my own email and website moved to another domain http://directredirection.be/thankyou3.html. Just after signup I got a mail from spammers that - "You're invited to participate." with option to click on "Claim My Spot", and found that Cybercriminals are using Bulk email campaign service form Getresponse.com, which is one of the biggest Email Marketing service. I have contacted with Getresponse response team and still waiting for their reply about help to trace hacker.

Okay back, after clicking "Claim my Spot" from email I moved to another phishy site http://ecash0pinions.com/main.php?hop=ryph1, who are offering lots of Earn Extra Income From Home. There greedy strategy tagline is "Earn money by uploading videos".

So, In whole process of this referral spam system, that was started from hacking of 15000 Wordpress blogs, we got three suspicious domains:
1.) http://surveyryphic.com
2.) http://directredirection.be
3.) http://ecash0pinions.com

After gathering more information, we found that :
1.) First two domains are Hosted on same IP i.e 91.217.178.43 and 3rd on different 108.179.210.36
2.) "Rick Thomas" is the person who run "ecash0pinions.com" website, having Personal email: rickthomasvendor@gmail.com and Skype username: rickthomas.vendor.
3.) Another marketing sites owned by Rick is extremewealthmechanism.com.
4.) Hacker have his most of the domains hosted on Russian hosting services.

May be Rick is not involved in these hacks, but possibly someone else using his referral system service to generate lots of money by directing thousands sites and readers via his referral link to such marketing sites.

We will update the article, after further investigation and response from Getresponse.com security team.

UPDATE:
45000 more wordpress has been compromised on second day of hack and Getresponse suspend the account of hacker. Read full story here.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.