How to Fix the “Deceptive Site Ahead” Warning

Did you just try to access your site and encounter a Deceptive Site Ahead warning? This error message occurs when the browser believes your website is unsafe and experiencing security issues — and it can seriously affect your traffic and reputation.

When this warning appears on your site, you’ll want to address it as soon as possible to ensure that your site (and visitors) are protected from phishing and other social engineering attacks.

Continue reading How to Fix the “Deceptive Site Ahead” Warning at Sucuri Blog.

Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network

Every so often attackers register a new domain to host their malware. In many cases, these new domains are associated with specific malware campaigns, often related to redirecting legitimate website traffic to third party sites of their choosing — including tech support scams, adult dating, phishing, or drive-by-downloads.

Since late December, our team has been tracking a new spike in WordPress website infections related to the following malicious domain: track[.]violetlovelines[.]com

PublicWWW results show over 4,500 websites impacted by this malware at the time of writing, while urlscan.io shows evidence of the campaign operating since December 26th, 2022.

Continue reading Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network at Sucuri Blog.

The Wordfence 2022 State of WordPress Security Report

Today, the Wordfence Threat Intelligence team is releasing our 2022 State of WordPress Security Report as a free White Paper. In our report, we look at changes in the threat landscape, analyze impactful trends, and provide recommendations based on our findings.

While most of our recommendations remain consistent with prior years, there were some surprising takeaways, including a number of positive trends and promising improvements in the ecosystem.

The most widespread threat to WordPress security in 2022 was neglect, as attackers target an ever-expanding pool of unmaintained sites, but it’s also clear that the latest versions of WordPress and the most popular plugins and themes have never been more secure.

You can download The Wordfence 2022 State of WordPress Security Report here.

The post The Wordfence 2022 State of WordPress Security Report appeared first on Wordfence.

PSA: Your Site Isn’t Hacked By This Bitcoin Scam, Keep the Money

On January 19th, 2023, a member of the Wordfence Threat Intelligence team received an email from their personal blog, claiming the site had been hacked, and we received two reports from Wordfence users who received the same message. The email claimed that the site had been hacked due to a vulnerability on the site. The email went on to demand about $3,000 worth of Bitcoin to prevent the malicious actor from damaging the site’s reputation. This is of course only a scare tactic, and not a true cause for concern. The site was not actually hacked.

This campaign appears to have begun on or around January 18, 2023, and while our data on it is light, the campaign is ongoing. The messages are being sent by a threat actor or a bot they control to submit the message through a contact form on a website. As we do not have data on emails submitted directly through a contact form, this attack campaign is likely to be significantly more prolific than the numbers we have available.

The message in question, which can be seen below in its email form, is a scare tactic that is used to trick victims into paying to prevent a leak of sensitive data, damage to the website, or whatever other potential consequences the vague threat may conjure up in the site owner’s mind.


From: Manie Hedin <hacker@sludgepool.org>
Subject: Your Site Has Been Hacked

Message Body:
Your Site Has Been Hacked

PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!

We have hacked your website https://<victimsite>.com and extracted your databases.

How did this happen?

Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.

What does this mean?

We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your https://<victimsite>.com was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.

How do I stop this?

We are willing to refrain from destroying your site’s reputation for a small fee. The current fee is $3000 in bitcoins (0.14 BTC).

The amount(approximately): $3000 (0.14 BTC)
The Address Part 1: bc1qe4xvhksgapl3p76mm
The Address Part 2: fz7thdnmkeuxry08kjhcn

So, you have to manually copy + paste Part1 and Part2 in one string made of 42 characters with no space between the parts that start with "b" and end with "n" is the actually address where you should send the money to.

Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 72 hours after receiving this message or the database leak, e-mails dispatched, and de-index of your site WILL start!

How do I get Bitcoins?

You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM.

What if I don’t pay?

If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.

This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again!

Please note that Bitcoin is anonymous and no one will find out that you have complied.


While this extortion campaign may not pose any real danger, it is still important to take website security seriously. WordPress core, themes, and plugins need to be updated with the latest security updates to patch known vulnerabilities. Even with everything updated, there may be vulnerabilities that are not publicly known and do not have an available patch. For this reason, a website security solution that includes a web application firewall (WAF) that can block common exploits, such as Wordfence, should be implemented.

Cyber Observables

While this extortion campaign is still in its early stages, there are some observables that can be used to identify and block these extortion attempts.

Email Address

hacker@sludgepool[.]org

Bitcoin Address

bc1qe4xvhksgapl3p76mmfz7thdnmkeuxry08kjhcn

IP Addresses

138.199.18.140
138.199.18.61
212.102.57.5
216.24.216.249
212.102.57.24

Conclusion

In this post, we discussed an emerging extortion campaign where emails are being sent to site owners through contact forms. This campaign does not pose an actual threat to the website, but serves as a reminder to keep websites updated and implement a website security solution.

Regardless of this being a scam, if you would like additional assurance that your site has not been compromised due to this scam, you can follow our guide to cleaning a hacked site or utilize Wordfence Care or Response to do a complete site audit as well as around the clock security monitoring and unlimited site cleanings if your site ever is compromised. Both these products include hands-on support in case you need further assistance.

The post PSA: Your Site Isn’t Hacked By This Bitcoin Scam, Keep the Money appeared first on Wordfence.

Vulnerable WordPress Sites Compromised with Different Database Infections

Vulnerabilities within WordPress can lead to compromise, and oftentimes known vulnerabilities are utilized to infect WordPress sites with more than one infection. It is common for out of date websites to be attacked by multiple threat actors or targeted by the same attacker using multiple different channels.

We recently came across a database injection that has two different pieces of malware accomplishing two unrelated goals. The first injection redirects users to a spammy sports website and the second injection boosts authority of a spammy casino website within search engines.

Continue reading Vulnerable WordPress Sites Compromised with Different Database Infections at Sucuri Blog.

Pin It on Pinterest