{"660600":{"#nid":"660600","#data":{"type":"news","title":"Eight-Year Study Shows the Dark Side of WordPress Plugins","body":[{"value":"\u003Cp\u003EA new look into the world of WordPress plugins is showing scientists that this basic component of website development is a minefield full of malware and danger.\u003C\/p\u003E\r\n\r\n\u003Cp\u003ESince 2012 researchers in the Georgia Tech Cyber Forensics Innovation Laboratory (CyFI Lab) have uncovered 47,337 malicious plugins across 24,931 unique WordPress websites through a web development tool they named YODA.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAccording to a newly released paper about the eight-year study, the researchers found that every compromised website in their dataset had two or more infected plugins. The findings also indicated that 94% of those plugins are still actively infected.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;This is an under-explored space,\u0026rdquo; said Ph.D. student \u003Cstrong\u003ERanjita Pai Kasturi\u003C\/strong\u003E who was the lead researcher on the project. \u0026ldquo;Attackers do not try very hard to hide their tracks and often rightly assume that website owners will not find them.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EYODA is not only able to detect active malware in plugins, but it can also trace the malicious software back to its source. This allowed the researchers to determine that these malicious plugins were either sold on the open market or distributed from pirating sites, injected into the website by exploiting a vulnerability, or in most cases, infected after the plugin was added to a website.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAccording to the paper written by Kasturi and her colleagues, over 40,000 plugins in their dataset were shown to have been infected after they were deployed. The team found that the malware would attack other plugins on the site to spread the infection.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;These infections were a result of two scenarios. The first is cross-plugin infection, in which case a particular plugin developer cannot do much,\u0026rdquo; said Kasturi. \u0026ldquo;Or it was infected by exploiting existing plugin vulnerabilities. To fix this, plugin developers can scan for vulnerabilities before releasing their plugins for public use.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAlthough these malicious plugins can be damaging, Kasturi adds that it\u0026rsquo;s not too late to save a website that has a compromised plugin. Website owners can purge malicious plugins entirely from their websites and reinstall a malware free version that has been scanned for vulnerabilities. To give web developers an edge over this problem, the CyFI Lab has made the YODA code available to the public on \u003Ca href=\u0022https:\/\/github.com\/CyFI-Lab-Public\/YODA\u0022\u003EGitHub\u003C\/a\u003E.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cem\u003E\u003Ca href=\u0022https:\/\/www.usenix.org\/system\/files\/sec22-kasturi.pdf\u0022\u003EMistrust Plugins You Must: A Large-Scale Study Of Malicious Plugins In WordPress Marketplaces\u003C\/a\u003E\u003C\/em\u003E, was presented at the 31st USENIX Security Symposium. The paper was written by Ph.D. students Kasturi, \u003Cstrong\u003EJonathan Fuller\u003C\/strong\u003E, and \u003Cstrong\u003EYiting Sun\u003C\/strong\u003E;\u0026nbsp;master\u0026#39;s student \u003Cstrong\u003EOmar Chabklo\u003C\/strong\u003E, undergraduate \u003Cstrong\u003EAndres Rodriguez\u003C\/strong\u003E, Postdoctoral Scholar\u0026nbsp;\u003Cstrong\u003EJeman Park\u003C\/strong\u003E, and Assistant Professor \u003Cstrong\u003EBrendan Saltaformaggio\u003C\/strong\u003E. The project was the\u0026nbsp;result of the unique partnership between the School of Cybersecurity and Privacy and the School of Electrical and Computer Engineering.\u0026nbsp;\u003C\/p\u003E\r\n","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"Cybersecurity researchers discover many WordPress sites are compromised "}],"uid":"36253","created_gmt":"2022-08-26 16:59:03","changed_gmt":"2022-08-31 15:36:47","author":"jpopham3","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2022-08-26T00:00:00-04:00","iso_date":"2022-08-26T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"660599":{"id":"660599","type":"image","title":"CyFI Lab Sign","body":null,"created":"1661532564","gmt_created":"2022-08-26 16:49:24","changed":"1661532564","gmt_changed":"2022-08-26 16:49:24","alt":"Sign reading Cyber Forensics Innovation Laboratory The CyFI Lab","file":{"fid":"250302","name":"SCP August 2022-66.png","image_path":"\/sites\/default\/files\/images\/SCP%20August%202022-66.png","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/SCP%20August%202022-66.png","mime":"image\/png","size":9087261,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/SCP%20August%202022-66.png?itok=gqCwbJZF"}}},"media_ids":["660599"],"groups":[{"id":"47223","name":"College of Computing"}],"categories":[{"id":"135","name":"Research"}],"keywords":[{"id":"365","name":"Research"},{"id":"1328","name":"laboratory"},{"id":"1404","name":"Cybersecurity"},{"id":"7772","name":"malware"},{"id":"167058","name":"Student"},{"id":"1096","name":"Ph.D."},{"id":"191181","name":"USENIX"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"},{"id":"39501","name":"People and Technology"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[],"email":["jpopham3@gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}