The sad truth about the recent, so-called ISIS hack on numerous North American websites, including one belonging to a Montana credit union, is that they shared nothing in common except for a preventable vulnerability. 

Police and the FBI are still investigating the web graffiti attacks in which invaders placed an ISIS flag banner on website home pages. There is no indication that the people launching the hacks had any real connection to ISIS. However, linking them is their use of the WordPress content management platform.

No data breach took place, only "a simple injection of graphics onto the web page," Tom Dedman, CEO at the $101 million Southwest Montana Community Federal Credit Union in Anaconda, Mont., a target in the recent hack, said. "Someone from the FBI said this was really a low-scale attack, as embarrassing as it was."

The hackers exploited a known vulnerability in a WordPress plug-in with an available patch. "It just shows how easy it is for criminals," Jim Stickley, a cybersecurity expert and CEO of Stickley on Security, a security education firm in San Diego, said. "Basically all the criminal had to do was hunt around for websites that were using the FancyBox jQuery extension on WordPress." 

WordPress is by far the most popular content management system with more than 23% of the world's websites built on it, according to W3Techs – World Wide Web Technology Surveys. 

"WordPress is an Open Source platform that offers thousands of third-party plug-ins, causing it to be extremely vulnerable, with hundreds of thousands of web-based attacks executed every year," Nimrod Luria, co-founder and chief technology officer at cybersecurity firm Sentrix, said.

Luria explained that in 2014 a bug in MailPoet, a WordPress mail plug-in, resulted in 50,000 sites being hacked through the injection of a PHP backdoor Trojan. SoakSoak, one of the most publicized WordPress attacks in 2014, took advantage of a bug in a popular slider plug-in, and as a result, more than 100,000 sites were hacked. More recently, Slimstat, an analytics plug-in, exposed more than one million sites to vulnerability. 

"The one thing we missed in this whole process that we weren't expecting or didn't even think about was updates to the software that drives the website," Dedman said. 

That strikes at the core of web development, and one of the bigger gaps that might be out there in credit union land: Outsourcing the development work with the presumption that it is secure. "We have to take the additional step to verify that," Dedman added. 

Stickley pointed out, "it can also be extremely difficult when many companies outsource web design and something like FancyBox can be used, and the company who owns the website might not even be aware it was added."

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).