Attack Wrangles Thousands Of Web Users Into A Password-Cracking Botnet

Arthur T Knackerbracket has processed the following story:

Attackers have transformed hundreds of hacked sites running WordPress software into command-and-control servers that force visitors' browsers to perform password-cracking attacks.

A web search for the JavaScript that performs the attack showed it was hosted on 708 sites at the time this post went live on Ars, up from 500 two days ago. Denis Sinegubko, the researcher who spotted the campaign, said at the time that he had seen thousands of visitor computers running the script, which caused them to reach out to thousands of domains in an attempt to guess the passwords of usernames with accounts on them.

This is how thousands of visitors across hundreds of infected websites unknowingly and simultaneously try to bruteforce thousands of other third-party WordPress sites," Sinegubko wrote. And since the requests come from the browsers of real visitors, you can imagine this is a challenge to filter and block such requests."

Like the hacked websites hosting the malicious JavaScript, all the targeted domains are running the WordPress content management system. The script-just 3 kilobits in size-reaches out to an attacker-controlled getTaskURL, which in turn provides the name of a specific user on a specific WordPress site, along with 100 common passwords. When this data is fed into the browser visiting the hacked site, it attempts to log into the targeted user account using the candidate passwords. The JavaScript operates in a loop, requesting tasks from the getTaskURL reporting the results to the completeTaskURL, and then performing the steps again and again.

[...] With 418 password batches as of Tuesday, Sinegubko has concluded the attackers are trying 41,800 passwords against each targeted site.

Read more of this story at SoylentNews.