‘Just For Men’ Hair Product Site Serves Trojan
Malware writers have penetrated the website for male hair products, Just For Men, foisting a password-stealing trojan at visitors, Malware bytes researcher Jerome Segura says. Jonathan Sander, VP of Product Strategy at Lieberman Software, commented below.
Jonathan Sander, VP of Product Strategy at Lieberman Software:
Jonathan Sander, “Many users of CMS systems like WordPress, are on the platform to expend the absolute minimum of resources and time on their websites. Like Just for Men, they are companies where an online presence is necessary but likely not a huge matter for their top line. The risk calculation of what’s at stake doesn’t motivate them to be on top of the ever-shifting vulnerabilities and the evolving threat landscape that is today’s internet. Of course, the bad guys will target these low-hanging fruit and use them as springboards for malware distribution and other exploits. The pattern of companies failing to protect resources about which they don’t care much and bad guys getting to victims using them as a channel is likely here to stay.
Whenever a company on the WordPress or other CMS platform gets hit with a plugin or other exploit, the question arises about why WordPress didn’t do more to protect them. WordPress is in a tight spot here. Their problem is similar to Facebook’s or Twitter’s problem patrolling for hate speech. WordPress supplies a platform. If the people using that platform do it carelessly, what are they supposed to do? These careless users are their customers, and they can only push them so hard with warnings and advice. In the end, if the website operator sets up a bad site by abusing WordPress, then it’s on them and not the host.