I was checking updates in my email this afternoon when I opened the following email. It’s a typical “Please moderate…” request that WordPress generates if you have enabled that function. It’s one that I typically enable. But today I noted that this was a possible attack vector, and a danger for bloggers everywhere…

What happened?

I decided after receiving so many of these wretched emails in my mailbox, that I would visit the URL to see what would happen. Boy! Did I get a surprise. After clicking on the link, the URL resolved then redirected to a porn site, which then tried to load a whole bunch of images on a page that I hadn’t entered. Then in a few seconds, it froze my browser and I tried to manually recover the browser, but the whole system froze. So I exited the system by hitting the power button, and rebooting. Usually this approach is a little extreme, but I had no other choice. By that time, the system was emitting a beep sound.

On reboot, I ran several scans of my pc through anti-virus and anti-hacking tools to check that the PC hadn’t been compromised. I will likely have to monitor the PC for several days to make sure that it hasn’t got recurring problems; and I’ll likely run other checks to make sure nothing was inserted into my computer. But really, if I hadn’t learned before, I am completely shocked that I exposed myself to a whole new attack vector.

How would an attack work?

Quite simply: the virus writer would upload a virus or malware (or whatever) to their server; set up a website that allows the malware to be downloaded on a vulnerable PC; create anonymous looking links in such emails or even better misdirecting links from other sites they own; and spam the links across hundreds or thousands of blogs.

So…

1. Create the program or virus – malware.exe;
2. Upload that to the site where it is hosted and hidden in a webpage;
3. (Create redirecting links on a more ‘neutral’ site: http://georgiesoros.co.uk/temp/page… that redirect to the page with malware);
4. Spam the redirecting links in emails, newsgroups, comments, logs, and wherever else they can get them;
5. Then wait for unwitting victims (like myself) to hit a link and get caught in the trap.

For the blogger, it’s a double whammy!

WordPress will either publish or queue the spam if it isn’t caught; if it is queued, notification emails are posted to blog owners causing them to open the email and possibly click or download the virus on their PC. If it isn’t emailed or published, it will sit in the comments section, and await the unwary blog owner clicking on the links there.

Once clicked, the page or browser will take over your PC with whatever needs to be loaded, and boom! Your pc is compromised.

Stop the spam, blogger! Stop the spam!

It’s always nice to know when you receive a comment, but you may need to take steps to protect yourself:

1. For older posts, use the Comments Plugin and close comments on really old posts. Just close them.You won’t regret it. Ever since I closed the comments on my old blog, I have had a much more peaceful life. More active blogs turn off comments and trackbacks after 1 month. You can automate this process, too. It’s called “Extended Comment Options“.

2. To avoid the double whammy, turn off the notification features when it says “Email me whenever…”. Just simply turn it off. That way, you won’t know that you got a comment, but you can live without that. If you check your blog most days, then this shouldn’t be a big deal; just remember to check your comments.

3. Consider using an anti-spam plugin to prevent such spam. I had been using Spam Karma II to prevent such spam. It worked pretty well but I tweaked my settings a lot, and it helped. Spam was really reduced that way; but I did lose one or two legitimate comments which were never recovered. Development on SKII seems to have faltered for the moment, but do check it out. I stopped using it when I switched to WPMU, and noted that I dealt with less spam anyway. I’m still not sure why spam dropped.

4. Keep your system uptodate as well as your AV and spyware software, too. Be prepared to run several such programs if you suspect you’ve been compromised, and do use some of the online systems as well. I’ve been known to run three AV programs at times when I suspect I’ve been hit, including TrendMicro’s HouseCall.

5. And don’t use older browsers, esp. if you are still using IE6.0, and you haven’t patched your system. Some of the exploits are well known now. Download a modern browser and use that instead.

So, take care with those comments, comment spam and trackbacks, they can lead the new blogger, and even more experienced blogger, into the dangerous world of ID theft, PC repairshops, and heightened Tech-related frustration!