Issue
The spam emails "We have hacked your website" can be sent using the unprotected "contact-form-7" plugin installed on the website. The attacker attempts to deceive the owner into thinking their website had been hacked in hope of easy money.
Environment
- Imunify360
- contact-form plugin
Solution
To prevent further spamming activity on your website, we recommend taking the following steps:
-
Update the "contact-form-7" plugin: Ensure that the plugin is updated to its latest version, as this might include security patches to prevent such spamming activity.
-
Keep plugins and themes up-to-date: Regularly update all other plugins and themes on your website to prevent security vulnerabilities.
-
Implement a CAPTCHA mechanism: Add a CAPTCHA mechanism (e.g., Google reCAPTCHA) to your contact form to prevent automated spam messages.
Based on the ModSecurity logs gathered, it is clear that the attacker exploited the "contact-form-7" plugin installed on your website to send the blackmail. The POST requests to the plugin's API are as per:
--d254604f-A--
[24/Apr/2023:08:45:06.691850 +0200] 216.177.141.39 POST /wp-json/contact-form-7/v1/contact-forms/54/feedback HTTP/1.0
Host: www.mycoolsite-domain.com X-Real-IP: 216.177.141.39 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_5) AppleWebKit/537.36
Referer: https://www.mycoolsite-domain.com/kontak-mycoolsite-domain/
Content-Type: multipart/form-data
Form Data: _name: Philipp Coleman _email: hacker@khclan.eu _telpon: 03.09.28.28.25 _message: [Spam email claiming site hack, data extraction, and ransom demand of $3000 (0.11 BTC)]
HTTP/1.1 200 OK
Cause
The spam emails were sent using the "contact-form-7" plugin, which was exploited by the attacker to send the messages.
Comments
0 comments
Please sign in to leave a comment.