TLDR: A deceptive email masquerading as a WordPress core notification regarding an expiring certificate with the intent of stealing WordPress credentials.
As website security becomes harder to penetrate with more mature software and defensive technologies, potential intruders increasingly rely on social engineering to simply steal credentials outright.
WordPress is an especially attractive target given its position as the most commonly used content management system on the Internet and its lack of built-in security features such as native two-factor authentication.
In the past year, evidence of phishing attempts designed to masquerade as “helpful” WordPress core warnings have popped up. These seem to have some traction given that:
More websites than ever make use of HTTPS to protect visitor activity.- Website managers are increasingly aware of the importance of SSL certificates but may not understand who is actually issuing and renewing their SSL certificate.
- Messaging an email address exposed on a website or even an email address associated with a domain name registration has a could have a good chance of being opened, especially as the recipient might either be connected with the website in a valuable way that would cause them to forward it or they might be an unsuspecting user with a WordPress administrative role.
How it Works
The phisher takes several steps to build credibility, capitalizing on the fear of missing a critical certificate renewal, and then the pitch (fix it for free by easily logging into this handy WordPress link that’s included on at the bottom.
Getting Your Attention
The message starts out quite simply; your website could go offline or become insecure because your certificate is expiring. This takes advantage of an overall lack of awareness of how to check a certificate’s expiration date, encryption, and how/who is renewing it.
I’ll Tell You About Your Problem – But I’ll Be Super Helpful and Provide You a Quick Solution
Now you have the recipient’s attention. Nobody likes a problem better than one that has a quick solution (click here to login to renew it) but better yet, it’s at no charge to you so the barrier that would normally go up (“don’t we pay someone or some service for this already?) just evaporates.
Who Am I? Who Are You?
The message, albeit with some questionable grammar and capitalization is especially interesting in that it does not try to pretend to have been generated by a third party but rather positions itself as if it were your own WordPress install sending a friendly WordPress notification. Furthermore, to try and add the illusion of credibility, the messages include domain registry information such as the domain name itself (so that the messaging is more personalized) along with one of the domain name’s current name servers. Now that the message has your attention, it is going to throw out some additional technical detail, regardless of accuracy, such encryption ciphers, and strengths. Overwhelming the recipient with jargon is another method to build on the story.
What You Can Do
Check with your developer, hosting company, or IT provider about how and when your SSL certificate renews. Do not just be wary of unsolicited messages prompting you to login or click on a link; train others to do so. For our St Louis web design customers, our team handles SSL renewals transparently such that certificates are renewed on behalf of our customers enabling them to focus on more important needs.
Here is an example of the message in action:
Your E-Commerce needs to update the SSL/TLS Certificate
Dear WordPress customer,
your SSL Certificate uses SHA-256 encryption which will become deprecated by most web-browsers in the next few months. To keep your e-commerce secure and without further instabilities, update your certificate.
The scheduled update maintenance is planned to January 1st 2021 at 00:00 (UTC)
After this date, if your website still using the same certificate it will be considered insecure by most verification systems.
This update is free of cost and should be submitted by the domain administrator. We ask you to verify the domain settings below and submit the update soon as possible.
Domain Address: janedoe.com
NS Server: ns1.yournameserver.com
SSL Certificate Data: Version V3
Sign Algorithm: SHA256RSAPlease, start the update by logging to your WordPress Administration Area.
(linked to your website’s default WordPress admin URL).