The spam emails "We have hacked your website" can be sent using the unprotected "contact-form-7" plugin installed on the website. The attacker attempts to deceive the owner into thinking their website had been hacked in hope of easy money.
- contact-form plugin
To prevent further spamming activity on your website, we recommend taking the following steps:
Update the "contact-form-7" plugin: Ensure that the plugin is updated to its latest version, as this might include security patches to prevent such spamming activity.
Keep plugins and themes up-to-date: Regularly update all other plugins and themes on your website to prevent security vulnerabilities.
Implement a CAPTCHA mechanism: Add a CAPTCHA mechanism (e.g., Google reCAPTCHA) to your contact form to prevent automated spam messages.
Based on the ModSecurity logs gathered, it is clear that the attacker exploited the "contact-form-7" plugin installed on your website to send the blackmail. The POST requests to the plugin's API are as per:
[24/Apr/2023:08:45:06.691850 +0200] 18.104.22.168 POST /wp-json/contact-form-7/v1/contact-forms/54/feedback HTTP/1.0
Host: www.mycoolsite-domain.com X-Real-IP: 22.214.171.124 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_5) AppleWebKit/537.36
Form Data: _name: Philipp Coleman _email: email@example.com _telpon: 03.09.28.28.25 _message: [Spam email claiming site hack, data extraction, and ransom demand of $3000 (0.11 BTC)]
HTTP/1.1 200 OK
The spam emails were sent using the "contact-form-7" plugin, which was exploited by the attacker to send the messages.
Please sign in to leave a comment.