Malicious links impersonating WordPress have been going around. One link was pointed out by the admins at Sophos when they themselves received an email on their marketing blog encouraging the receiver to click the link in the email.
So where does the malicious attachment link lead to:
The researchers at Sophos found that the link lead to a very believable phishing page with authentic icons and logos of that of WordPress, inviting the user to login with their WordPress username & password in order to proceed with a so called “much required” security update.
According to an article by Sophos.com, the company’s security expert Paul Ducklin explained, “The scam then shows you some fake but believable progress messages to make you think that a genuine ‘site upgrade’ has kicked off, including pretending to perform some sort of digital ‘file signing’ at the end,”.
Furthermore, if the victim logs into their WordPress account successfully, they’re then abruptly redirected to a 404 error page, leaving the victim believing that something probably went wrong.
There is no course of rectification once the user lands on the 404 page.
Phishing emails can be customized
Surprisingly, the malicious link in the email possessed a URL and an encoded banner that allowed the researchers and hackers to further customize the link to impersonate the various different hosting sites.
This is a significant example that proves how important two-factor authentication really is. Majority of the users don’t have TFA turned on, which enables the hackers to easily lead the user to hand over the control of the site to them.
Ducklin further advises admins and users to never log in via any links provided in the emails or be sure to have the TFA turned on for prime security.
“Password managers not only pick strong and random passwords automatically, but also associate each password with a specific URL. That makes it much harder to put the right password into the wrong site, because the password manager simply won’t know which account to use when faced with an unknown phishing site,” Paul Ducklin further noted.