Website visitors are put at risk because of webmasters who are using an older WordPress plugin version with an expired domain.
The security company Sucuri was the one to bump into the problem after noticing a website using the Flexytalk Widget WordPress plugin, which was renamed to FrescoChat Live Chat almost a year and a half ago.
When the owners of Flexytalk Widget decided to change its name to FrescoChat, they allowed the flexytalk.net and flexytalk.com domains to run out. Then they replaced them with a new domain – frescochat.com, starting in version 3.1.8 of the plugin.
The two expired domain names were soon picked up by two malicious domain resellers. While waiting for their “new” domains to be bought, both entities hijacked all HTTP requests pointing to those two servers.
The former owner of flexytalk.net and flexytalk.com was using them for loading content inside the WordPress plugin. They had left two abeyant links to the two domains in all the WordPress websites that were still using the older versions of the plugin.
Moreover, the new owner of the flexytalk.net domain started using it for pop-up ads distribution. Some of the ads were a malicious browser-locking scareware which was trying to mislead the victims into calling a tech support.
The owner of the other expired domain – flexytalk.com, did pretty much the same thing with the ads spreading but he left out the scareware. Moreover, while still running, plugin was programmed to gather the usernames and passwords for the Flexytalk accounts and sent them to the flexytalk.com domain.
At this point, it hasn’t been confirmed whether or not the new owner has access to these credentials. However, if he doesn’t, there would be no problem for him to gather all this information and abuse it for hijacking the users` current FrescoChat accounts or any other account with the same username and password.
A case like this was noticed three weeks ago by Sucuri. The company discovered that an expired domain name used by a popular WordPress theme developer was bought by a Chinese domain reseller. The new owner also used the domain to spread ads to all websites using that theme.
The more concerning fact is that the two malicious domain resellers are not abusing just these two expired domains for their ad-pushing and scareware propagation. They have also gotten their hands on more than 100,000 ran out domains, which they are probably leveraging the same way.
Sucuri`s researcher, Krasimir Konov, accused WordPress webmasters on forgetting to regularly update their products.
“Three versions with the new [FrescoChat] domain names have been released since then [16 months ago], but still some webmasters refused to update the plugin, which is really strange, because it’s a live chat widget and no one needs a live chat that doesn’t work (and it didn’t work since they changed their servers 16 months ago).“
