The Russian security company Kaspersky Lab has been in the news a lot recently in regards to questions about its relationship with the Russian government, but what deserves to get some focus is how their news website, Threatpost, helps to spreads unfounded claims about security threats coming from others in the security industry.
Back in November over at the blog for our Plugin Vulnerabilities service we looked at a situation where the Threatpost had covered a claim by the security company Checkmarx that they had found “severe” vulnerabilities in several WordPress eCommerce plugins. At the time Checkmarx presented no evidence to back the claim up and stated that it would be “available in the future”. What they did present indicated that the vulnerabilities, if they existed, might be less than severe. In May we went to look to see if any additional information had ever been released, but we couldn’t find any update and we received no response from Checkmarx when we contacted them asking were we could find it.
Today we ran in to another example of the Threatpost spreading an unfounded claim about a security threat. This time it was with a threat resolving around placing the files for WordPress on a website and then not running the installer. The following line in the article stood out:
WordPress experts claim the attack method isn’t exactly new, but that it clearly hasn’t limited its effectiveness.
The article and the cited source for the article do not provide any measure of effectiveness of the attack. The only cited figure is rather underwhelming argument for even covering this, “biggest increase in scans – roughly 7,500 a day”. Considering that there are apparently at least 100s of millions of websites currently, that isn’t a significant number (it does look like attacks occur a lot more than though, but not more than many other threats that don’t receive any coverage).
We left the following comment on the post pointing to the lack of backing for the claim as to effectiveness of attack:
Your article implies the attack is effective, “WordPress experts claim the attack method isn’t exactly new, but that it clearly hasn’t limited its effectiveness.”, but you and Wordfence don’t present any evidence as to the effectiveness of these attacks. We have seen hackers do large scale attacks that had no chance of being successful because they didn’t understand what they trying to exploit, so 7,500 attempts in a day isn’t in any way an indication that this is effective.
Originally it was held for moderation:
But shortly after that it was removed. So they were clearly aware of the issue, but instead of addressing it they would rather not let people know that they are making unfounded claims.
It also worth noting that first part of the sentence “WordPress experts claim the attack method isn’t exactly new” isn’t all that accurate. It isn’t just a claim that the attack method isn’t new, it actually is factually true that it isn’t new. For example, the issue was brought up five and half years ago and we discussed it at the time.