In-Depth Analysis of a Criminal Organization Targeting WordPress Websites
Written by Mark Maunder, and originally published on March 1, 2017 on the Wordfence Security blog We are posting this article for two reasons: 1) It is a high value article for our clients. 2) WordFence is an amazing tool for hardening WordPress websites, and we strongly endorse their services.
The number of brute force attacks that we see each month targeting WordPress is incredibly high. Last Month Wordfence blocked an average of 25 million brute force attacks per day as you can see in our January WordPress Attack Activity Report:
Late this month (February) we noticed a new surge in attacks. One IP address that we noticed is 22.214.171.124. Wordfence blocked 1.7 million attacks from this IP targeting over 22,000 websites from February 21st until February 28th.
We decided to take a closer look at what kind of activity this IP is engaging in and we ended up uncovering a vast network of attack sites, what their tactics, techniques and procedures are (TTPs) and who is behind them.
Analyzing the IP and who hosts it
The IP address 126.96.36.199 is owned by an organization called “PP SKS-LUGAN” (PSL) which we have written about previously. In December of last year, we noted that most of the brute force attacks we were seeing during a December spike were originating from PSL.
The following shows the top IP addresses at PSL for a single day in December and how many attacks they generated in just 24 hours.
Top 8 Ukraine Attack IP’s
Multiple complaints to PSL have resulted in no change in this behavior and PSL IP addresses are continuing to engage in a large number of brute force attacks.
When analyzing 188.8.131.52 we looked at it in various dimensions:
Based on the open ports, the server appears to be a Windows machine. It seems to be associated with a domain called heilink which, based on archive.org, belongs to someone who was selling World of Warcraft gear and the site is now down. That is probably the previous owner of that IP address.
Based on the number of attacks we’re seeing coming from PSL’s netblock, we think that they are a “bullet proof hosting provider“. In other words, they are providing hosting for individuals and organizations who are engaged in activity that is clearly malicious and PSL will not respond or react to complaints about customers, but will allow the customer to continue using their services to engage in illegal activity.
What else comes from 184.108.40.206?
One of our customer sites that is participating in the Wordfence security network was hit by a defacement attack from 220.127.116.11. This is a departure from the standard brute-force-attacks we normally see from this IP address.
We grabbed the sample and it contained the following:
A Network of Counterfeit Sports Apparel Sites
We used the list of domains we found in the spam above to find out what other defacement attacks the Wordfence firewall has blocked that contain those domains. We discovered a range of IP addresses that are engaging in this defacement campaign and which are promoting a list of websites that are all selling counterfeit sports apparel.
The table below shows a list of the websites that we encountered that are part of this campaign. Out of the 24 websites that are being actively marketed, 19 of them, or 80%, are still up and running and have not been taken down due to trademark infringement. (see below for details)/
We profiled a handful of these sites and established a link between 18.104.22.168 and other sites in the spam network, through the domains that they are promoting:
The above image shows 6 IP addresses that are part of this campaign. We show what attack or spam methods they are using and similarities in behavior between IPs. We also show which sites each IP is promoting and how there is cross promotion between IPs.
As you can see in the above image, 22.214.171.124 is engaging in high frequency brute force attacks. It is also spamming a range of domains. One of those domains is bizcheapjerseyswholesalechina.com which is linked to two other IP addresses in the spam network.
One of those linked IPs is engaging in the same kind of comment spam as an additional two IPs in the network. Or in tactical terms, it is using the same TTPs (tactics, techniques and procedures). Furthermore, one of the IPs we linked via TTPs is also spamming the Simple Ajax Chat plugin, which yet another IP address in the list is also doing.
The above is a very basic analysis of just 5 IP addresses that are related to 126.96.36.199. We have high confidence that other IP addresses in the spam network can be linked to 188.8.131.52 in the same way.
A long list of lawsuits
Many of the websites that are engaged in this spam campaign have been taken down by a law firm representing the NFL, MLB, NHL and the NBA. Once a site is taken down, a notice appears on the site similar to the image on the left.
The procedure for these take-downs is to file a complaint, then apply for a temporary restraining order (TRO) against the site. In the case of the site on the left, the TRO was applied for the following day, December 7th, 2016.
Then the law firm files for a preliminary injunction about a week later. One month later the law firm files a motion for default judgement.
The owners of these sites don’t show up to defend themselves, and so this legal process proceeds unattended by the site owners until a default judgment is issued in the trademark owners favor.
This process allows the trademark owners to take control of the website and take it down. Once the website is taken down, a notice like the one on the left is placed on the website.
Following the Money
The sites we analyzed that are selling counterfeit sports apparel prefer to get paid via either Western Union Money Transfer or MoneyGram. The checkout on one of these sites looks like this:
In every case, the payment recipients are based in China. Across the range of sites we analyzed, we found the following recipients:
As you can see in the screenshot above, there are different payment recipients for Western Union vs MoneyGram. To illustrate that these individuals are connected to each other, we have created the following analysis of four individuals in this network:
As you can see in the diagram above, each individual is connected to every other individual via the sites that they receive payments for. The payment recipients are probably low ranking individuals in, what is clearly, a criminal organization.
Wrapping it Up
What we have shown here is that a criminal organization selling counterfeit sports apparel is engaging in spam to promote their retail websites. In addition to spam, we have shown that they are also using brute force attacks, targeting WordPress websites, from one of their spam servers which is hosted at a well known bullet proof host, Pp Sks Lugan, based in Ukraine.
US based law firms are engaged in an ongoing campaign to take down these counterfeit apparel retailers based on trademark infringement lawsuits, TROs and default judgements. The battle between the trademark infringers and the law firms representing the trademark owners appears to be ongoing.
This analysis should help you understand what the motive is behind some of the brute force attacks that target your WordPress website. The motive in this case is financial and the attackers are using compromised WordPress websites to sell and market counterfeit sports apparel.
Credits: Authored by Robert McMahon and Mark Maunder with assistance from Panagiotis Vagenas. Thank you to Dan Moen for editing.