A large number of WordPress users are noticing that they cannot log into their blogs this weekend. Or if they can log in, their site has an iframe that points to a malware site (networkads.net/grep). Original posts on the story pointed it at blogs hosted by Network Solutions. NetSol, however, claims it is not just them—that other hosts are being infected as well. They mention a “rogue plugin” however they will not say which one it is, and so far, the only complaints have been from NetSol blogs. Another early “fact” claimed by many was that this attack was only hitting 2.92 users, but comments indicate other versions have been hit as well.

Sucuri Security has a fantastic write-up of the attack, details and the fix, which will likely scare those unfamiliar with PHPMyAdmin. According to Sucuri:

“What is interesting about this attack is that it does not create or modify any files, so the average security advice does not apply here. The only thing is does is to modify your “siteurl” inside the “wp-option” table to point to http://networkads.net/grep/, breaking the site layout completely.”

If you find yourself infected, and are confused by the directions, do yourself a favor: ask a geeky friend to do this for you. It’s not beginner stuff.

TIP: One thing you can do immediately without accessing your wp-options table is turning off, then simply removing your xmlrpc.php file from your WordPress install. It’s always at the top level (root) of your WordPress install.

Has your blog been hit by this attack? How did you fix it?

Please and thank you?  Microsoft has had some serious security issues over the years but recently there have been several problems that are so severe that they’ve had to release a fix outside of their normal schedule.  This is a pretty radical step since this causes companies (not to mention the rest of us) to spend time and resources that we hadn’t planned for.  Today, Microsoft released another out of cycle patch for Internet Explorer.  There have been a growing number of attacks that are exploiting this vulnerability.  I would recommend that you update with this patch as soon as possible so you can get back to Dave’s great series on scam spotting

Sadly, so true…

Esteemed military bank, USAA was recently targeted by an email phishing scam. Thankfully, USAA has an incredible security team, who discovered it and warned their members before anything happened. Details of the email can be found on their site.

And it’s spreading fast! The email is short, cheesy and semi-Engrish, but nonetheless contains a password stealer that is instantly activated once you open it. The password stealer may grab more than just your Facebook credentials, so please do not open this email. The email itself has the following elements:

From: help@facebook.com
Subject: Facebook Password Reset Confirmation Customer Support
Email Body: Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook

You can tell from reading the email, that the grammar is atrocious, the subject line is overly long and somewhat contradictory (you wouldn’t confirm something the user hasn’t done yet), and customer support would not be in charge of an email server operation. The opening, “Dear user of facebook” is clearly not how Facebook would address you. It would have your name, and if they did reference themselves, they would certainly capitalize Facebook. And ending with “Your Facebook?” Please.

More details on All Facebook.