Today one of our colleagues came into our office and said, “Hey guys, I’ve been infected.” I thought to myself, yeah, how bad can this be? After a bit of digging we found the results were worth it; it turned out to be a really “interesting ” case of mobile redirected threats localized for each country.
All you need is one bad IP
The case was brought to us by Jakub Carda, a fellow AVAST employee who enjoys blogging in his free time. His WordPress site was compromised through a vulnerability in WordPress, more precisely OptimizePress. OptimizePress is a WordPress plugin that fully integrates itself into the WordPress CMS, helping bloggers optimize their blog’s design. A tiny mistake in the code of a file located in: lib/admin/media-upload.php made it possible for pretty much anyone to upload harmful content onto people’s WordPress sites, and plenty of websites have been compromised because of this. The main problem is caused by the following code:
<?php include “../../../../../wp-config.php”; ?>
<?php get_template_directory(); ?>
This is what it should have been:
<?php include “../../../../../wp-config.php”;
if ( !current_user_can(‘add_users’) ) {
echo ‘You cannot access this file. Sorry.’;
Can you see the difference?
In the first set of code anyone can upload anything they wish to any WordPress site, taking advantage of the OptimizePress vulnerability. In the second row of the second set of code, what the code should be, we can see that the code verifies if the authorized WordPress publisher is uploading, denying access to non-authorized publishers.
Jakub’s site was compromised by a unique kind of redirector exploiting this error in the code. What is unique about this redirector is that it differentiates PC site visitors from mobile users accessing WordPress sites, targeting the mobile visitors only. This, combined with the fact that the code recognizes the mobile user’s location and redirects them to localized pages, makes it interesting. By further inspecting the code we were able to find the IP address that was behind all the trouble:
Not so pleasant surprise for mobile WordPress site visitors
If you access an infected WordPress site via PC you are safe, but mobile users should watch out. After accessing Jakub’s website with a mobile device (and plenty of other WordPress sites) we were redirected to the root of the problem, an IP address which offered a lot of options in terms of compromising visitor security, including tricking users to pay money, knowingly and unknowingly.
On the server side there was a script that recognized the visitor’s location, and according to that it decided where to redirect the site visitor. We were able to dig up plenty of threats, from multiple websites. Everything from porn sites to fake applications to fake antivirus websites which tried to sneak onto user’s devices. I’ve just randomly picked three to show you which kind of threats await mobile users and sorted them according to their danger level.
- Porn sites
No actual harm is done, but it’s quite annoying if you are trying to access a “clean” page to suddenly be redirected to a porn website. You probably won’t be satisfied in this case and it is definitely NSFW.
Fake anti-virus
This website, which WordPress mobile visitors are redirected to tries to make you to believe that your device is infected and charges you via SMS to “clean” your phone. Luckily there’s still no immediate harm, other than trying to convince you your device is infected and get you to pay for their “service.”
Harmful Apps
The third and worst redirect are the porn apps requesting users to install them onto their devices. Although users have to approve the installation before the app can cause the device harm, once installed they are quiet vicious. I’ve analyzed a few of them and found that most contained permissions that were capable of stalking users, sending premium SMS, and even capable of becoming device administrator.
Here are some of the other domains the IP address also redirects users to, but as I said, there were plenty more and each localized for different countries.
How to protect yourself from the trap
This kind of threat is pretty unique in that it targets mobile users accessing WordPress. As I said at a the beginning, users accessing WordPress from PCs were not effected. This is probably why hackers are using this method, most antivirus companies scan web addresses, making it difficult for them to detect this as the website appears harmless to users accessing it through a PC.
As I write this post, no other antivirus is blocking this IP for their mobile users and the sites it redirects to except for AVAST. avast! Mobile Security blocks this redirect, keeping AVAST users safe. WordPress publishers should delete the file media-upload.php for now and contact either WordPress or OptimizePress for a solution.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.