Up to 47,337 malicious plugins have been identified on 24,931 unique websites, and 3,685 of those plugins were offered for sale on trustworthy marketplaces, earning the hackers $41,500. Results from a new program named YODA that seeks to detect rogue WordPress plugins and trace their origin, according to an 8-year study conducted by a group of scholars from the Georgia Institute of Technology
In use today are almost 44,000 of these plugins or more than 94%.
While posing as developers of useful plugins, attackers distributed pirated plugins to spread malware. Harmful activity peaked in March 2020, and there have been a growing amount of malicious plugins on websites throughout time. It’s surprising to see that 94% of the malicious plugins that were installed throughout those 8 years are still active. It was found in the long analysis that threat actors had infected plugins after they had been released, costing a total of $834,000, by looking at WordPress plugins installed on 410,122 different web servers going back to 2012.
YODA can be installed either by directly integrating it into a website and web server hosting provider or by using a marketplace for plugins. The framework can be used to find out a plugin’s owner and provenance in addition to finding out where add-ons are hidden and malware-rigged. In order to locate the plugins, it analyses the server-side code files and the associated metadata. Then, it conducts a syntactic and semantic analysis to find malicious activities.
The semantic model considers a variety of red flags, including web shells, the capacity to add new posts, password-protected code injection, spam, code obfuscation, blackout SEO, malware downloaders, malvertising, and cryptocurrency miners.
Spam injection was made possible via 3,452 plugins that were accessible in trusted plugin markets.
40,533 plugins were infected with malware on 18,034 websites after being distributed.
unauthorized plugins WordPress plugins or themes that have been altered to download malicious malware from the servers made up 8,525 of the malicious add-ons. Approximately 75% of the stolen plugins stole $228,000 from their creators.
By using YODA, plugin creators and marketplaces can inspect their plugins before distribution, and website owners and hosting providers can search the web server for potentially harmful plugins.