Beware: new IRS rules will lead to a wave of phishing frauds

Thanks to new legislation that went into place at the beginning of this year, I predict that a lot of unsuspecting small business owners are about to fall victim to a fresh scam.

The scam will relate to legislation around new tax reporting rules that will affect millions of freelancers and small businesses. As explained in an earlier column, beginning for the 2022 tax year, if you receive more than $600 in total payments during the course of the year from a payment service like PayPal, Venmo (which is owned by PayPal), Square, Stripe or online sales of your products made through Amazon, Etsy and other marketplaces – regardless of how many customers are paying – that payment service is required to report that amount to the IRS and to you by sending a Form 1099-K – used for reporting payments via these third parties – in early 2023.

Full story: https://www.theguardian.com/money/2022/feb/27/beware-phising-fraud-new-irs-rules-online-payment-service-receipts

Stored Cross-Site Scripting Vulnerability Patched in a WordPress Photo Gallery Plugin

A cross-site scripting (XSS) vulnerability was discovered in “Photoswipe Masonry Gallery”, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to inject malicious JavaScript that executes whenever a site administrator accesses the PhotoSwipe Options page or a user accesses a page with a gallery created by the plugin.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Photoswipe Masonry Gallery”, which is version 1.2.18 at the time of this publication.

Photoswipe Masonry Gallery is a plugin designed to enhance gallery creation using the default WordPress gallery builder which can be added to WordPress pages and posts. As with many other plugins available in the WordPress repository, this plugin has the ability to set general options for the plugin. These settings translate over to any gallery that a site owner chooses to create and includes things like thumbnail width and height for images along with many other settings. Unfortunately, this plugin had a vulnerability that made it possible for attackers to modify these settings.

Source: https://www.wordfence.com/blog/2022/02/stored-cross-site-scripting-vulnerability-patched-in-a-wordpress-photo-gallery-plugin

Reflected XSS in Header Footer Code Manager

Header Footer Code Manager is a WordPress plugin designed to allow administrators to add code snippets to the header or footer of a website. One of the admin panel pages added by the plugin allows administrators to view a list of code snippets that had been added to the site, which included links to edit or delete these existing code snippets. The plugin’s column_name function used the $_REQUEST[‘page’] parameter to construct this link.

WordPress uses the value of the $_GET[‘page’] parameter in order to determine which page the user is currently visiting, and will block unauthorized users if they’re not allowed to access the current page set in $_GET[‘page’]. This means that $_REQUEST[‘page’] might be expected to just contain the admin page used to display the list of code snippets, hfcm-list. However, due to a quirk of how PHP handles superglobal variables, $_REQUEST parameters can be overloaded.

The upshot is that this can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to e.g. hxxps://victimsite.site/wp-admin/admin.php?page=hfcm-list, with the $_POST[‘page’] parameter set to malicious JavaScript.

Full explanation: https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-manager

UpdraftPlus WordPress plugin update forced for million sites

WordPress has forced the update of the UpdraftPlus plugin around three million sites to address a high-severity vulnerability, tracked as CVE-2022-0633 (CVSS v3.1 score of 8.5) that can allow website subscribers to download the latest database backups, which could potentially contain sensitive data.

“The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.” reads the advisory for this issue.

The flaw was discovered Marc Montpas during an internal audit of the plugin.

“The plugin uses custom “nonces” and timestamps to securely identify backups. Given the knowledge of said nonce and timestamp can give someone access to quite a few of the plugin’s features, making sure this info is only accessible to those who legitimately need it is crucial.” reported the analysis. “Unfortunately, as we’ll demonstrate, it wasn’t the case.”

The issue impacts versions 1.16.7 to 1.22.2 of the plugin, the development team addressed it with the release of 1.22.3 or 2.22.3 for the (paid) Premium version.

Source: https://securityaffairs.co/wordpress/128170/hacking/updraftplus-forced-update.html

Massive LinkedIn Phishing, Bot Attacks Feed on the Job-Hungry

The phishing attacks are spoofing LinkedIn to target ‘Great Resignation’ job hunters, who are also being preyed on by huge data-scraping bot attacks.

Emotionally vulnerable and willing to offer up any information that lands the gig, job seekers are prime targets for social engineering campaigns. And with the “Great Resignation” in full swing, cybercriminals are having an easy time finding their next victim.

Just since Feb. 1, analysts have watched phishing email attacks impersonating LinkedIn surge 232 percent, attempting to trick job seekers into giving up their credentials.

“Current employment trends help to make this attack more convincing,” a new report from Egress said. “‘The Great Resignation’ continues to dominate headlines, and a record number of Americans left their jobs in 2021 for new opportunities. It is likely these phishing attacks aim to capitalize on jobseekers (plus curious individuals) by flattering them into believing their profile is being viewed and their experience is relevant to household brands.”

The emails had subject lines that would be enticing to job hunters hoping to get noticed, like, “Who’s searching for you online,” “You appeared in 4 searches this week” or even “You have 1 new message,” the Egress team said.

The phishing emails themselves were convincing dupes, built in HTML templates with the LinkedIn logo, colors and icons, the report added. The scammers also name-checked well-known companies throughout the bodies of the phishing emails, including American Express and CVS Carepoint, to make the correspondence seem more legitimate, the analysts said.

Even the email’s footer lifted the company’s headquarters’ address and included “unsubscribe” links to add to the email’s authenticity, the analysts pointed out.

“You can also see the LinkedIn display name spoofing, which is designed to hide the webmail accounts used to launch the attacks,” the report said.

Once the victim clicks on the malicious links in the email, they were directed to a site to harvest their LinkedIn logins and passwords.

“While the display name is always LinkedIn and the emails all follow a similar pattern, the phishing attacks are sent from different webmail addresses that have zero correlation with each other,” the analysts added. “Currently, it is unknown whether these attacks are the work of one cybercriminal or a gang operating together.”

021722 09:18 UPDATE: LinkedIn sent the following statement to Threatpost:

“Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification. To learn more about how members can identify phishing messages, see our Help Center here.”

Read more: https://threatpost.com/massive-linkedin-phishing-bot-attacks-hungry-job-seekers/178476/

PHP Everywhere Bugs Put 30K+ WordPress Sites at Risk of RCE

The plug-in’s default settings spawned flaws that could allow for full site takeover but have since been fixed in an update that users should immediately install, Wordfence researchers said.

Tens of thousands of WordPress sites are at risk from critical vulnerabilities in a widely used plug-in that facilitates the use of PHP code on a site.

One of the bugs allows any authenticated user of any level – even subscribers and customers – to execute code that can completely take over a site that has the plugin installed, researchers have found.

Researchers from Wordfence Threat Intelligence discovered three critical vulnerabilities in PHP Everywhere, a plug-in installed on more than 30,000 WordPress sites, as they revealed in a blog post published Tuesday. The plug-in does precisely what its name suggests, allowing WordPress site developers to put PHP code in various components of a site, including pages, posts and sidebars.

Source: https://threatpost.com/php-everywhere-bugs-wordpress-rce/178338/

See also: https://www.bleepingcomputer.com/news/security/php-everywhere-rce-flaws-threaten-thousands-of-wordpress-sites/

Elementor WordPress plugin has a gaping security hole – update now

If you run a WordPress site and you use the Elementor website creation toolkit, you could be at risk of a security hole that combines data leakage and remote code execution.

That’s if you use a plugin called Essential Addons for Elementor, which is a popular tool for adding visual features such as timelines, image galleries, ecommerce forms and price lists.

An independent threat researcher called Wai Yan Myo Thet recently discovered what’s known as a file inclusion vulnerability in the product.

This security hole made it possible for attackers to trick the plugin into accessing and including a server-side file…

…using a filename supplied in the incoming web request.

Simply put, a malicious visitor could trick an unpatched server into serving up a file it’s not supposed to, such as the server’s own username database, or coerce the server into running a script it shouldn’t, thus creating a remote code execution (RCE) hole.

As you probably know, web server RCE bugs are typically abused to implant malware that allows the attackers to do something to your immediate, and often costly, detriment.

Clients of ProtectYourWP.com have already been updated, of course.

Source and more details: https://nakedsecurity.sophos.com/2022/02/02/elementor-wordpress-plugin-has-a-gaping-security-hole-update-now/

https://www.darkreading.com/vulnerabilities-threats/tens-of-thousands-of-websites-vulnerable-to-rce-flaw-in-wordpress-plugin