Don’t Get Infected By Clipsa!

If you have a website that uses the WordPress platform (and you probably do if Nicely Done Sites built your site) you know that they take security seriously. In today’s day and age the more secure your website (or anything on the web) the better off you are but a major threat to WordPress has been found on the Internet called Clipsa. What should you be looking for and how can you protect yourself from it?

What Does Clipsa Do?

Clipsa is a piece of malware that attempts to brute force guess a WordPress site’s login credentials. This method of attack itself is not unusual, as it is common from botnets, but Clipsa is not a botnet. 

If it is successful Clipsa will then be able to do several things, mostly focusing on cryptocurrency mining. Clipsa will scan the victim’s computer to try to locate any crypto wallets and if they are able to find the data file from the wallet they can hijack it and steal it. It is also able to search for text files looking for Bitcoin mnemonic seed recovery phrases which act like passwords for the wallets. It will copy that file and save the new file to the infected website, which is then used as a secondary C&C server (which will be used to host download links for miners or to host stolen information), so it can be cracked later at the attacker’s convenience. 

Clipsa also has the ability to monitor a user’s clipboard and will look for patterns that look like a crypto address, copy it, replace it on the user’s clipboard with something else and then steal the payment. Last, Clipsa is also able to install an open-source app that mines Monero currency on the victim’s computer.

Even if you do not have any cryptocurrency wallets on your computer you can still face issues. The mining app uses a great deal of resources and can cause performance issues on your machine, so even if you aren’t into cryptocurrency you can be affected.

How Widespread Is This?

The malware was discovered by the cyber security firm Avast, who report that in a little over the past year they have blocked over 250,000 installations of it on unsuspecting user’s machines. It is believed that most computers are infected through the installation of codec packs for media players that are available for download on the Internet. It appears that most of the packs are being distributed through spam email campaigns. 

India has been hit the hardest by Clipsa along with Pakistan, Spain, Italy, Brazil and the Philippines. Avast estimates that the creators of the program have been able to make about 3 Bitcoin, or around $35 thousand in the past year just by stealing addresses from infected user’s clipboards. They probably have made a lot more by being able to steal a victim’s wallets and this is only information available from Avast users. While it is the top antivirus program by usage available there are plenty of others available like Norton and McAfee.

How Can I Protect Myself?

Since Clipsa is designed to brute force attack a website it needs a user’s login credentials to be as easy to guess as possible. That means a simple username, like say admin, and a simple password, like one that is less than 8 characters long. There are unfortunately a lot of people who use credentials like that. 

Remember, the more secure the password, the harder it is to brute force. A 16 character password that is a mix of numbers,upper and lower case letters and symbols can potentially take a lifetime to crack. There is a reason that we make our passwords as complex as we can at Nicely Done Sites and it’s not to make you pull your hair out. If you are worried about having to remember those credentials don’t forget to write them down and use a password manager to store them. The more complex the password the tougher it gets and newer security measures like Multi-Factor Authentication can make your website even safer.

There are also plugins that are available that help to limit the number of times a user can attempt to login before they are locked out. By utilizing one of these plugins (we like the Limit Login Attempts Plugin at Nicely Done Sites) a brute force threat can be stopped before it can get going. 

By using more secure login credentials and by limiting the number of times a user can try to login you can prevent nearly every brute force attack that is sent your way like Clipsa. Don’t forget as well to make sure that what you click on when you are on the Internet is on the up and up as well. That free deal that just popped into your inbox (especially if it is unsolicited!) may look awesome and answer all of your questions but you may wind up paying dearly for it in the end. Let Clipsa be a warning to everyone. 

Oh, and don’t forget to update your WordPress core. Version 5.2.3 was released earlier this month. Keeping your WordPress installation up to date closes vulnerabilities like these and keep you safer!

Comments are closed.

Scroll to Top