A large number of website owners have received notifications from WordPress to inform them that their passwords have been reset because suspicious activity has been detected on their accounts.
The recipients of these alerts are advised to change their passwords and notify WordPress in case they see any more suspicious activities on their accounts or blogs.
The Hacker News has analyzed
some of the compromised websites and has found that the attackers posted articles entitled “I’m getting paid!” on each one of them. The suspicious posts advertise “make easy money” and “work-at-home” jobs that can earn anyone a more than decent income.
If they sign up by providing their names and email addresses, victims are taken to other “extra income” websites such as surveyryphic.com, directredirection.be or ecash0pinions.com.
Another noteworthy thing is that once they sign up on these sites, users start receiving spam emails that appear to be sent with the aid of GetResponse.com, a world-renowned email marketing service.
Over 15,000 WordPress websites have been found to host the "I'm getting paid" article.
So, how could attackers compromise such a large number of websites? One theory is that a WordPress server or the one owned by WordPress API service was compromised.
Another possibility is that the cybercriminals leveraged some known or unknown WordPress vulnerability.
However, there’s an even more plausible theory. Experts from Dynamic Net found that starting with September, around half of the compromised WordPress sites were taken over with WordPress brute force attacks.
“If you review your or your hosting provider reviews your web site’s access logs on a regular basis, you can tell if there are Brute Force attacks being attempted on your WordPress site by seeing multiple requests to access the file wp-login.php from the same IP address over and over again,” explained Peter Abraham, CSO at Dynamic Net.
Abraham also offers some valuable advice
on how WordPress blogs can be protected against such attacks.