2m WordPress sites at risk.

May 08 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily newsletter that’s smart enough to know that King Charles did not get ‘coronated’ at his Coronation 😏

Today’s hottest cyber security stories:

  • 2m WordPress sites at risk thanks to plug-in, baby 🤘Any Muse fans?
  • McAfee: Three seconds is all it takes to clone your voice for scams 😲
  • Ransomware: San Bernardino County Sheriff’s Department pays $1.1m bounty 🤠

STOP THE WORDPRESSES… AGAIN!

Listen up, fellow cybersecurity enthusiasts! If you’re one of the cool kids using the Advanced Custom Fields plugin for WordPress, it’s time to update that bad boy to version 6.1.6.

Why, you ask? Well, it turns out some sneaky hackers discovered a security flaw (boo!) that could inject some seriously arbitrary executable scripts into your otherwise harmless website (double boo!).

This issue, dubbed CVE-2023-30777 (catchy name, huh?), is a case of reflected cross-site scripting (XSS). It’s like a game of ping-pong, except instead of a ball, it’s a malicious code bouncing back and forth between the vulnerable website and the user’s browser.

How does this happen, you ask? Easy peasy: just click on a bogus link sent via email or some other sneaky route and BAM! You’re in a whole world of trouble.

And don’t just take our word for it. Here’s what Patchstack researcher Rafie Muhammad had to say on the matter:

“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path.”

But never fear, Gone Phishing is here to reassure you that it’s not all doom and gloom… Reflected XSS attacks rely on social engineering to trick victims into clicking on those bogus links, so they’re not as widespread as stored XSS attacks.

Still, it’s better to be safe than sorry, right? So update that plugin, pronto!

(CYBER-)ATTACK OF THE (VOICE-)CLONES

There’s a scam that’s been doing the rounds lately (this author’s mother was even targeted and embarrassingly almost fell for it until her bank intervened!) wherein a text message appears in a victim’s inbox saying: “Hi Mum.”

Now, as you can imagine, if you send out thousands of these, every once in a while scammers get lucky and get a response from a mum.

And then the battle begins for the scammer to convince this poor mother that he or she is in fact one of their sons or daughters and, wouldn’t you know it, they’ve found themselves in a spot of bother and need to borrow a couple of grand.

Now, think about this: these crappy text message scams sometimes work. Imagine how much the likelihood of success would increase if these devious bastards could mimic the voice of somebody’s son or daughter (just one example).

Because, according to new research by McAfee, scammers can clone someone’s voice in as little as three seconds! Now, tell me that’s not terrifying… Thanks AI! You really are a double-edged sword aren’t’ you? Like all technology, really.

McAfee surveyed 7,054 people from seven countries and found that a quarter of adults had previously experienced some kind of AI voice scam, with 1 in 10 targeted personally and 15% saying it happened to someone they know. 77% of victims said they had lost money as a result.

McAfee CTO Steve Grobman, said: “Advanced artificial intelligence tools are changing the game for cybercriminals. Now, with very little effort, they can clone a person’s voice and deceive a close contact into sending money,” said Grobman.

And we’re not talking peanuts either, folks. More than a third of people who’d lost money said it had cost them over $1,000, while 7% were duped out of between $5,000 and $15,000.

And when the victim finally hears the AI-generated spoof, all they have to say is:

“That doesn’t even sound like me?!?!” 😂

All seriousness folks, stay safe out there! And share this article with your mums! And your grandparents!

WANTED DEAD OR MaLIVE

Looks like the San Bernardino County Sheriff’s Department found itself in quite the pickle. A ransomware attack had them shaking in their boots and forced them to fork over a whopping $1.1 million in ransom. Ooh-wee, ain’t that about a b*tch!

To prevent the malicious software from spreading like wildfire, the department had to hit the brakes on some of their systems. Yep, that means no emails, in-car computers, or access to certain law enforcement databases. Gosh darnit!

The attack went down on April 7th, and the law enforcement officers went into full-on detective mode to figure out what the heck was going on.

But they must have hit a dead-end because they ended up paying half of the ransom themselves – a cool $511,852. The rest was covered by their insurance carrier, thank the Lord.

Now, normally, the FBI and other law enforcement agencies would advise against paying ransom in these kinds of attacks come hell or high-water.

But hey, when you’re stuck between a rock and a hard place, what else are you gonna do? At least they can get back to work now that their systems are restored and their data is secure.

Hopefully, this will be a lesson learned to keep those cybersecurity measures up to snuff!

As you were, friendo.

So long and thanks for reading all the phish!

Recent articles