April 15, 2013
Campaign Targeting Those With 'admin' Username
A network of more than 90,000 IP addresses is responsible for an ongoing “brute force” attack against sites and blogs using the WordPress’ default username ‘admin.’ Some Joomla users have also been hit. The campaign first came to light late last week and picked up steam over the weekend.
Online security firm Sucuri is reporting a significant rise in the number of such attacks.
The company’s data showed an average of 30,000 to 40,000 blocked attacks per day from last December through March. In April, hacking attempts spiked to more than 77,000 per day and reached more than 100,000 in the past few days.
According to Sophos security expert Paul Ducklin the online assault is known as a dictionary attack, a method in which the hacker tries the most common usernames and passwords in quick succession to breach accounts.
“The idea is simple: automate the password guessing, speed up the attack, and don’t spend too long on any individual site,” Ducklin wrote on the Sophos blog. “Look for the low-hanging fruit, and harvest it as quickly as you can; if you can’t get in within a few hundred or thousand attempts, move on to the next potential victim. It’s doorknob rattling, but on an industrial and international scale.”
Sucuri CTO Daniel Cid posted a list of the top user names being attempted: admin, test, administrator, Admin and root. The username admin is by far the most popular attempt, he added. In fact, it is tried 60 times more often than any of the other common user names.
“In these cases, by the shear fact of having a non- admin / administrator / root usernames you are automatically out of the running,” Cid said.
The most common passwords being attempted are: admin, 123456, 12345, !@#%^, 123321, qwerty, 12345678, 1234, 123123, password, 666666, 121212 and pass.
“If you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress,” Mullenweg wrote in a blog post. “Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem.”
Password-guessing attacks such as these are common, Ducklin said.
In this case, the attack volume “has been sufficient to attract global attention, which is a good thing, but it’s currently thought to be only about three times the usual level,” he said.
“In other words, even when ‘normal service’ is resumed, we’ll all still be firmly in the sights of the cybercriminals, so take this as a spur to action.”
Online security provider CloudFlare is warning that attacks such as this could spell trouble in the future.
CloudFlare CEO and co-founder Matthew Prince said the attacker is using “a relatively weak botnet of home PCs” to construct a significantly larger botnet “of beefy servers in preparation for a future attack.”
“These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic,” he wrote in a blog post. “This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the fall of 2012, was behind the large attacks on U.S. financial institutions.”