Tim Lince

Over 100,000 websites were hacked into and defaced in the past fortnight following the discovery of an undisclosed critical vulnerability in the WordPress content management system (CMS). Research suggests that recently hacked parties included dozens of law firms, including those specialising in IP law. A security expert tells World Trademark Review that this type of incident can cause significant reputational damage for firms – even potentially leading to the loss of clients.

The incident began following the release of the latest version of the popular website platform WordPress three weeks ago. At the time, website administrators were advised to update to version 4.7.2 “as a matter of urgency”, but specific details on why were not given. The following week, WordPress revealed that the update had fixed an “undisclosed critical vulnerability” and claimed that it didn’t make that information public previously to give administrators time to update before malicious hackers exploited it. However, news of the vulnerability spurred hackers to find the exploit in the previous version of the CMS, then target websites that had not updated to the latest – fixed – version.

As it turns out, a large number of websites had not updated to the new version – and thousands, reportedly over 100,000, were subsequently attacked. Reports suggest the exploit allows hackers to deface websites, with no data or sensitive information being accessed. The most common move by hackers was to scan for websites using the old version, then removing content from a random page on the site and replacing it with the text ‘Hacked by [name]’ – with common names used including w4l3XzY3, Cyb3r-Shia and Hawleri_hacker.

Of those hacked, many law firms were targeted. For the most part, the exploit affected smaller, boutique law firms as major law firms will rarely run with a WordPress back-end. Research by World Trademark Review discovered affected firms include Brent Rathgeber Law & Advocacy, PalettaLaw, BSA Ahmad Bin Hezeem & Associates LLP and Barre M. Sakol. Furthermore, International Investigators Incorporated, a US-based private investigation firm which offers services including IP due diligence checks, was also defaced – with the hacker even advising the website’s administrator to “please update your wordpress”.

The latest WordPress hack is not the first time that CMS exploits are breached by hackers – in fact, it appears to be a fairly common occurrence. Further research discovered apparent website defacement from hackers in recent weeks at other law firms. These include IP firm Taylor McCaffrey LLP, its website located at ‘TMLawyers.com’, which had a “Hacked by Imam” message prominent on its ‘Recent Articles’ sidebar last week (although the defaced blog has since been restored). UK firm Bircham Dyson Bell, which covers a wide array of practices including intellectual property, had a blog post replaced with offensive text late last month. The long-running ‘Practice of Law’ blog, written by Aaron Morris at Morris & Stone LLP, has also been targeted by a politically-active hacker group. Finally, the Law Offices of Lawrence Hersh, which has IP as a main area of practice, was similarly defaced last month, this time “by Master Hax”. One curiosity of the Lawrence Hersh breach is that the automated Google website crawler recorded the hack, so it appears at the top of a Google search for anyone seeking information on the firm.

While the latest series of hacks did not compromise sensitive data, there are reputational risks that can come from a hacking incident, particularly when clients – or potential clients – observe that a firm’s online presence has been impacted. As David Gibson, VP of strategy and market development at security firm Varonis, tells us, the appearance of being unsecure could be enough to scare off clients. “Having your website defaced isn’t going to make clients feel any better about your data security practices,” he explains. “We don’t need to look past the Panama Papers to remember what happens to client trust when their data is stolen. So everyone needs to be worried about security these days, including the small businesses running WordPress sites. Law firm clients will likely go elsewhere if their firm suffers a data breach or they feel their information is vulnerable, and a website defacement isn’t going to help anyone’s confidence.”

There are, then, a number of precautions that law firms can take to significantly reduce the risk of this type of incident taking place. “Knowing what systems are being used, and ensuring updates are applied efficiently is one element of keeping the infrastructure safe from harm,” Gibson adds. “But a multi-layered cyber security approach is needed; organisations need to focus on keeping the data they store protected – reducing unneeded access, and using security analytics to baseline system and file activity, and alert on unusual access patterns. In all, legal firms are learning that the level of service they provide in other areas can become irrelevant in an instant if they fail to preserve the security of their clients’ information.”

While this particular WordPress exploit may only have led to website defacements, without any serious breach of sensitive data, there are still lessons to be learned. A law firm/client relationship is based on trust, and impressions do matter. Even the erroneous suspicion that a firm’s IT security could be vulnerable could create concern on the part of clients. 

Comments

Please log in or register to leave a comment.

There are no comments on this article

Share this article