Yesterday, I got an email from a client, forwarding an email from an HMRC representative (for the sake of narrative, let’s call the person ‘HMRC guy’). It makes for a pretty shocking read.

Note that throughout I’ve skipped a couple of minor emails between our client and I and removed some inconsequential text saying ‘I’ve forwarded their response below’, etc. But apart from redactions for the sake of privacy, I haven’t changed the contents.

Forwarded email from HMRC guy - title: 'Wordpress site: www.(redacted).co.uk'

I represent HM Revenue & Customs where one of my areas is in counter-fraudulent Email.

Your site has been compromised and is hosting assets being used as part of a phishing campaign against people. The specific assets are:

http://www.[redacted].co.uk/wp-content/uploads/(redacted)/(redacted)/HMRC.jpg

Please could you REPLACE the current image with the image attached. This is preferable to simply deleting the current image as it means any person who receives opens these messages and selects to display images will be clearly advised that the message is fraudulent. Simply deleting the current image will not provide them this advice and so replacing the image with the attached replacement is specifically requested.

You will probably need to upgrade your version of WordPress to prevent it being compromised in this way again.

Best wishes…/(redacted)

(redacted)
Senior Security Architect (Cyber Security & Infrastructure)
Chief Digital and Information Office
Abbey House, Whitechapel Way, Telford. TF2 9RG
(contact details redacted)

Let’s forget about the lower case ‘p’ in WordPress for now.

Here at Pragmatic, we take WordPress security seriously, so I personally dropped what I was doing to investigate and ran through a series of checks:

  1. Is the site still on our hosting? Yes (we use WP Engine hosting so this is a key consideration)
  2. Have we ever had any security concerns about this site previously? No
  3. Is everything pretty much up to date? Yes
  4. Are there any suspicious files in the usual places of the WP file structure? No
  5. In Media Library is the image attached to a post? Yes
  6. In the file structure, are there multiple, processed versions of the image file that means it looks like it was uploaded through the CMS? Yes
  7. Is the ‘file modified’ date of that file incongruent with other files in the (month-specific) folder on the file system? No

HMRC guy was right, and wrong. The site was hosting assets that were being used as part of a phishing campaign (or at least there’s no reason to doubt that this was the case), but I felt he was wrong and irresponsible in saying that the site was compromised.

This is what I sent back – it’s brief because I wanted to give the client a quick update.

Our response

OK so:

  • I’ve replaced the logo for them.
  • Your WP site (to the best of my judgement) isn’t compromised. The attackers simply found a logo that had been uploaded to your site (this article: (redacted link to a WordPress post that talked about HMRC and had an alternative HMRC logo currently displayed)) and used that. There are hundreds of results here: https://www.google.co.uk/search – you just got unlucky.

Hope that’s sufficient as a response/let me know if you want more. I’ll log (redacted) of billable support time on this unless you let me know otherwise.

Brief, but hopefully re-assuring. I certainly didn’t expect what came next:

HMRC guy's response - forwarded by client.

Many thanks for this (client contact’s name – redacted).

Re your suppliers response[footnote]That’s us that HMRC guy is talking about[/footnote], no, it demonstrates a complete lack of understanding! The article (client’s name – redacted) article they point to is not using the logo that was in use and I don’t quite see what their point is about a Google search for the HMRC logo – it’s utterly irrelevant. So it’s a simple question to them:

If our version of WordPress is not vulnerable to a file upload vulnerability, please explain how this HMRC logo came to be hosted on our service making us vulnerable to its misuse?

Now of course if you know you were meaning to host this logo then that’s one thing, but I doubt you were, and so how then did it get there? The answer is; it was almost certainly uploaded via a WP vulnerability. I’m afraid WP is notorious for this type of weakness. Indeed looking at the Google search they provide I can see an example of the logo you were hosting. And it’s URL…

http://(a different site’s domain – redacted).co.uk/wp-content/uploads/(redacted)/(redacted)/hmrc-logo.png

Note the path…wp-content/uploads – the same path that ‘your’ copy of the logo was under. Guess what…they too have been ‘hit’ in the same way you were. I’m afraid you didn’t ‘get unlucky’, someone put this logo on your site for a purpose and if it wasn’t you – which would be my guess – then you have to wonder who it was.

I’d need to know which version of WP you’re on, but you might take a look at the list of current WP vulnerabilities. For instance (and noting your site looks like it was built in 2013)[footnote]I replaced the actual table with an image[/footnote]:

I’m afraid most media companies have little idea of how their favourite tools are regularly subject to compromise and fail to keep up to date with revisions. I’d suspect this is your issue…I note they say “to the best of their judgement” you’re not vulnerable. Well it’s simple really; Have they updated you to the most current recommended release? (4.1.1 released 18-Feb-15 by the way) My guess is you are on 3.5 or 3.5.1 based on a 20313 site refresh (guessed form inspection of WordPress versions documentation).

Drupal (an alternative content management system) tend to be more explicit about versions to use (and not use).

You might like to point them to http://codex.wordpress.org/Hardening_WordPress#Vulnerabilities_in_WordPress and the advice:

If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.

So really they shouldn’t “to the best of their knowledge” think you’re not vulnerable, they should know that you *are* on an up to date version…but my guess is you’re on whatever version they built the site on…

Good luck…/(redacted)

If our version of WordPress is not vulnerable to a file upload vulnerability, please explain how this HMRC logo came to be hosted on our service making us vulnerable to its misuse?

Well. I had to read that a few times. Was this really from HMRC? From a Senior Security Architect? Obviously I had to respond in detail here. Partly to reassure our client, partly out a desire to try to educate HMRC guy, and partly out of the sheer indignity of it all.

HMRC guy’s original message in italic, our response in bold.

Our response to HMRC guy, via client

Wow. Comments below if you want!

Whilst I’m sure (HMRC guy’s name – redacted)’s intentions are good, his facts are wrong, his diagnosis incorrect and his advice is at best misinformed, at worst misleading and incorrect.

I hope this is all reassuring and would be happy to explain/discuss further.

—- Forwarded email in chain —-

Many thanks for this (client contact’s name – redacted).

Re your suppliers response, no, it demonstrates a complete lack of understanding! The article (client’s name – redacted) article they point to is not using the logo that was in use and I don’t quite see what their point is about a Google search for the HMRC logo – it’s utterly irrelevant. So it’s a simple question to them:

It’s not irrelevant.

I can find HMRC logos on any one of a number of sites – e.g. https://www.google.co.uk/search

I can then find one of those images, e.g. http://www.greatergrassmarket.co.uk/files/large/1d7762586980be0

And use it wherever I like, e.g. https://pragmatic.agency/test-2/ (that image is not hosted on our server, it’s ‘hot-linked’ from the original hosting – this is exactly what happened with the original issue this morning).[footnote] I subsequently added a hot-linked image from the HMRC website to that test post, just for lulz[/footnote]

It’s worrying that (HMRC guy’s name – redacted) doesn’t understand how this all works if he’s giving advice out.

 

If our version of WordPress is not vulnerable to a file upload vulnerability, please explain how this HMRC logo came to be hosted on our service making us vulnerable to its misuse?

“Because an authorised user uploaded it to the WordPress CMS intentionally”

 

Now of course if you know you were meaning to host this logo then that’s one thing, but I doubt you were

Why is that doubtful? There’s a logo on that post and it seems entirely likely that someone would have uploaded a previous version and then swapped it for the current, sexier one.

 

, and so how then did it get there? The answer is; it was almost certainly uploaded via a WP vulnerability. I’m afraid WP is notorious for this type of weakness.

Poorly maintained WordPress, yes.

 

Indeed looking at the Google search they provide I can see an example of the logo you were hosting. And it’s URL…

It was uploaded through the CMS. The logo on that post is now different, but our diagnosis is that the logo was uploaded through the CMS but then later a different version was used – for whatever reason. I can tell that through file modified dates and the fact that different image sizes were produced and the media item was ‘attached’ to that post, neither of which are usually the case with file upload vulnerabilities.

 

http://(a different site’s domain – redacted).co.uk/wp-content/uploads/2013/08/hmrc-logo.png

Note the path…wp-content/uploads – the same path that ‘your’ copy of the logo was under.

That’s the default WordPress media uploads directory/file structure and doesn’t prove a thing.

 

Guess what…they too have been ‘hit’ in the same way you were.

Massive speculation.

 

I’m afraid you didn’t ‘get unlucky’, someone put this logo on your site for a purpose and if it wasn’t you – which would be my guess – then you have to wonder who it was.

It was a (client’s name) authorised user, I’m pretty certain.

 

I’d need to know which version of WP you’re on, but you might take a look at the list of current WP vulnerabilities. For instance (and noting your site looks like it was built in 2013):

You’re on the latest version of WP (screenshot attached). You’re also on the WP Engine platform which has a vast array of security precautions in place.

2015-04-10_16-05-54

I’m afraid most media companies have little idea of how their favourite tools are regularly subject to compromise and fail to keep up to date with revisions. I’d suspect this is your issue…

You’d suspect wrongly, (HMRC guy’s name – redacted), in this case.

 

I note they say “to the best of their judgement” you’re not vulnerable. Well it’s simple really; Have they updated you to the most current recommended release? (4.1.1 released 18-Feb-15 by the way) 

Yes, we have.

 

My guess is you are on 3.5 or 3.5.1 based on a  20313 site refresh (guessed form inspection of WordPress versions documentation).

Wrong guess.

 

Drupal (an alternative content management system) tend to be more explicit about versions to use (and not use).

WordPress are also very explicit about versions to use and not use.

 

You might like to point them to http://codex.wordpress.org/Hardening_WordPress#Vulnerabilities_in_WordPress and the advice:

 

If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.

Thanks. I wrote a post about this: https://pragmatic.agency/update-wordpress/

                                                                                                                          

So really they shouldn’t “to the best of their knowledge” think you’re not vulnerable, they should know that you *are* on an up to date version…but my guess is you’re on whatever version they built the site on…

We know that you are on an up to date version. That doesn’t mean that there’s not a plugin vulnerability now, or previously and that this isn’t a file upload vulnerability. But we’re undertaking every best practice security precaution we can and whilst we can’t be 100% sure that there isn’t a vulnerability somewhere, it’s a very diminishing possibility: hence ‘to the best of our knowledge’.

I know this HMRC guy must be sick of dealing with phishing emails powered by botnets running hacked crappy servers using images hot-linked from who-knows-where, but I just don’t think it’s acceptable for him to come back with the email he did. It was even if well-intentioned, ultimately wrong and riddled with panic-mongering misconceptions about the WordPress platform and the way that websites work full stop – the image I use as a hot-linked example isn’t hosted on a WordPress site. Any image on any website can be used for hotlinking, unless specific instructions by the web server prevent this. Often people want legitimately for images on their site to be hot-linked, for use in emails or display in search engines. It doesn’t represent a security threat in and of itself.

My advice to HMRC is to have a standard ‘Your WordPress site may have been compromised’ advice page, written and maintained by WordPress security experts that also explains how their site can be used in this way without having been compromised, and how to go about diagnosing and fixing compromised WordPress sites, and not to engage in site-specific security recommendations.

I’d have thought these guys would have enough to do, like say tackling the ~£20bn of annual tax evasion in the UK, but I wouldn’t want to tell them how to do their job 😉

Image credit

Image used and modified (not hot-linked) courtesy of Images Money on Flickr