Digital Constitution, a website devoted to how Microsoft is fighting government surveillance and working to protect online privacy in a digital world, was hacked to promote online casinos.
ZDNet, which captured a screenshot, reported that the "site appears to have been modified around 9:15pm ET on Wednesday." The attacker "injected text with keywords" like "online casino," "poker, "craps," "roulette," and "blackjack." Additionally, some new pages were "injected to show content that embeds content from other casino-related websites." Microsoft has since taken that down.
It's unknown how long ago the site was hacked to promote online gambling, and ZDNet said "it's not clear who was behind the attack."
However, since Microsoft's site was running an outdated version of WordPress, WordPress 4.0.5, The Stack said, "it seems likely that the site takeover was opportunistic work by the blackest of black-hat SEO crews simply using automated tools to scan thousands of websites for exploitable, non-updated CMS systems."
Microsoft originally launched Digital Constitution in August 2013. While the site is copyrighted by Microsoft, it also notes that web design and development was done by New Media Campaigns, a company that says it develops sites that are "easy to manage and update."
Microsoft had not published any new content on the site since April 2015. WordPress 4.2.2 was released on May 6, 2015; it was considered a "critical security release." Besides fixing 13 bugs, WordPress 4.2.2 addressed two cross-site scripting (XSS) vulnerabilities:
The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it.
WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.
Additionally, the latest WordPress release "included hardening for a potential XSS vulnerability when using the visual editor."
It's not clear if other Microsoft websites were also infected, but Ars Technica noted, "It's not unusual for hack-by-numbers exploit kits to automatically inject malicious links into vulnerable pages that when viewed by vulnerable computers, perform drive-by download attacks." Microsoft had no comment other than "it's fixed."
Moral of the story? Site owners using WordPress should consider turning on automatic background updates. Yet it's not always as simple as that.
The Stack points out, in many cases sites running WordPress rely on "custom plugins and custom code created by developers for the company creating the site. A CMS update on any of the major platforms can, and very often does, break critical functionality provided by such third-party code." That means owners "are faced with significant re-development costs to recreate third-party functionality which WordPress updates were destined to break. Plugins and themes are in themselves suitable attack vectors for hackers, allowing exploits to occur even when an installation is up to date. But 'core' CMS vulnerabilities cannot be deferred or ignored."
Remember, though, these types of hacks are unfortunately very common and not nearly as big of a deal as some folks make them out to be...unless it gets users infected and then it truly is grrr. Mostly, this type of hack and defacements end up being embarrassing for a company, which is likely why Microsoft would not comment beyond "it's fixed."