[00:00:20] Nathan Wrigley: Hello there and welcome once again to the WP Builds podcast. You've reached episode number 456, entitled WordPress vulnerabilities and the power of AI powered malware detection. It was published on Thursday, the 12th of February, 2026. My name's Nathan Wrigley and I'll be joined by Thomas from We Watch Your Website to have that conversation in just a moment, but before then, a few bits of housekeeping.
The only thing I've really got to mention is that if you're enjoying WP Builds, and you want to help us out and keep the lights on over here we have sponsorship packages. I'd love to get into a conversation with you if you have a product or service in the WordPress space. Find out more by contacting me at [email protected], or head to our advertising page, wpbuilds.com/advertise, and we could get your messages out in front of a WordPress specific audience, which is exactly what we have, and probably what you need.
Okay. What have we got for you today? Well, today I am joined by Thomas Raef from We Watch Your Website. He's been on the podcast before. He is a specialist in the WordPress security space, and today we are having a conversation, well, all about the things that he's been discovering in the recent past. He has a huge amount of data with the We Watch Your Website service, which he runs.
And so he goes through the bits and the pieces that he's learned over the year 2025, particularly in terms of how AI is really stepping up. We get into the weeds of an awful lot. What hackers are now doing. How you can best protect yourself. And where they are attacking most.
There's an awful lot in this episode, so get your propeller hat out, and your tinfoil hats as well. And I hope that you enjoy it.
I am joined on the podcast by Thomas Raef. Hello, Thomas.
[00:02:14] Thomas Raef: Hello, how are
you?
[00:02:15] Nathan Wrigley: I'm good. I'm not the one having to deal with three o'clock in the morning waking up,
[00:02:22] Thomas Raef: only 5:00 AM
[00:02:23] Nathan Wrigley: oh, okay. Yeah. Well, I've got a gotta, express my gratitude. Thomas sent me a link not that long ago, and I double checked because it, was, reasonable time in the uk and I thought, he's in North America. This seems strange, but you're a, you're an early morning, you're an early riser and like to get on with the day.
So anyway,
[00:02:42] Thomas Raef: Yes, indeed.
[00:02:45] Nathan Wrigley: Thomas has been on the podcast a few times before and, it's always a conversation about security because Thomas has a company called, we Watch your website. I said that company name out loud to a family member the other day. And they, 'cause they often ask who's doing what, what interviews are you carrying out?
And I said, oh, I'm, interviewing a chap called Thomas from, we watch your website and, all of the family members wait. Went, that's a great name. What a great name for a company. So you have my family's endorsement for your, company name, if that is anything to you. So tell us about yourself.
Tell us about your company. Tell us about the stats of, how many websites you deal with and what it is that you do.
[00:03:28] Thomas Raef: Okay. Yeah. I started, we watcher website in, 2007. and back then I was, looking for a, a good. I dunno, catchy, company name and, as my dad used to say, well, you can't use Apple. It's already been used twice,
[00:03:51] Nathan Wrigley: It really has.
[00:03:52] Thomas Raef: once by Steve Jobs. So, so yeah, you, I, looked at all sorts of things.
I even registered a company name Busle, B-U-Z-O-G-G-L-E,
[00:04:04] Nathan Wrigley: yeah. I'm glad you didn't go with that.
[00:04:06] Thomas Raef: yeah, and I all sorts of crazy. So anyway, I was like, somebody was like, well, what is it your service does? I'm like, well, we watch websites. And he's there you go. Like, all okay.
[00:04:19] Nathan Wrigley: Yeah.
Yeah.
[00:04:21] Thomas Raef: So, but yeah, originally, we, I, was hosting with the Blue Host and, just because I, back then it was the default.
I, our GoDaddy and blogging every day and, About new infections that I was seeing. And matter of fact, I got started the same time that, David Sid did from, security. He's one of the co-founders of
[00:04:50] Nathan Wrigley: Oh, okay. Yeah. Yeah. Lot of
[00:04:52] Thomas Raef: belong to a group, badware Busters and, we would help people, for free basically.
Anyway, so I was finding malware and blogging about it and one day I get a call from a guy, he says he's very technical and his boss's site just got hit by this infection. I wrote about the day before. Can I tell him about it?
[00:05:12] Nathan Wrigley: Oh, that was a good blog post, wasn't it? You got actual traction the very next day. That's ideal.
[00:05:18] Thomas Raef: I mean we, we talked for an hour and a half. 'cause he really knew his stuff. And so, he goes, well, great, thanks. And next day I get, a day after that, I get a call back from him and he's Hey, the information you gave me was spot on. Thank you so much. He goes, I see you host with us. I.
Who are you? He's, he says, I'm Alex Lundquist. I'm a level three tech here at Bluehost. My boss is Matt Heaton, the owner of Bluehost. How would you like it if we started sending you business?
[00:05:50] Nathan Wrigley: That is the best blog post you've ever written. That's so good. that's like unicorns and
rainbows.
Yeah, no, please don't send me loads of
[00:06:00] Thomas Raef: yeah, no, So like for a while there they were, they would tell their new tech support people, in terms of service people. Anybody calls in with malware issues, have 'em call, we watch our website. And, so, everything, that, that got me going. And, obviously, we were handling tons and tons of stuff.
I would send them, they, were sending me so much business for a while. They had a, a big, Party there and I sent them 50 Chicago deep dish pizzas for their party.
[00:06:42] Nathan Wrigley: As a way of saying thank you.
[00:06:44] Thomas Raef: Yeah.
[00:06:45] Nathan Wrigley: Yeah.
[00:06:47] Thomas Raef: so anyway, then Matt Heaton sold out to Endurance International Group and Hari, I can't remember his last name, his brother started SiteLock and so they told all their tech support people, Hey, I, send everybody to SiteLock, anybody with, malware issues, send them to SiteLock.
Well, people didn't like SiteLock. I don't know, variety of reasons, but, so the tech support people kept. Sending people to me instead. And a couple of 'em were threatened. They're like, you're gonna be fired if you don't start sending people to SiteLock. So, so anyway, it we had a good jump at that point and, reached out to, others and it just kinda grew from there. So, but one of the
[00:07:47] Nathan Wrigley: story though, because so many stories are just full of. Can I, forgive me, but so, so full of kind of BS and, self aggrandizement. I love that story 'cause it's just full of so much interesting serendipity. Now, behind that story, the bit that you are not saying is obviously you must have been doing a stellar job.
You must have been, really credible and doing the work which was required, but also, just, like serendipity. Got in, there and, made it all possible. I love that story. I'm,
[00:08:19] Thomas Raef: Yeah. we were literally doing, they were literally sending us thousands of websites a day. So I had to, I'm a programmer from way back. as I told you before, I'm, old. You know what I used, I first started programming on IBM punch cards.
[00:08:39] Nathan Wrigley: oh, okay. Yeah. This is not a format I'm familiar with, but I've seen the black and white grainy footage. Okay.
[00:08:47] Thomas Raef: You've seen it, you've seen it in the museums, right?
[00:08:50] Nathan Wrigley: Just, total segue, right? Just for a brief moment. Was that stuff fun? looking back now, it just seems like the devil's work that you had to insert bits of cards to get things done.
But looking back was, is there some sort of nostalgia for those days? Did you enjoy
[00:09:05] Thomas Raef: Oh,
yeah, it was, 'cause I, started in high school, like I, I was very good in math and science, so I had a opportunity out, even though I was a sophomore, they had a, special class for seniors. you could take eight weeks out of your math curriculum and do this computer programming. And so it was a, teletype 33 terminal attached to a mainframe computer at Purdue University in Indiana.
And just that whole concept, I'm typing here and it's computing hundreds of miles away.
[00:09:45] Nathan Wrigley: Yeah.
[00:09:46] Thomas Raef: this is so cool.
[00:09:47] Nathan Wrigley: Yeah, I mean that, yeah. That's
[00:09:50] Thomas Raef: and then yeah, learning the, programming logic, was it like even to this day, it just, programming logic just makes sense in my head.
[00:10:02] Nathan Wrigley: you have to rent time on that machine? Because my understanding was, back, in the day, you know that era, there were so few of these things and so many people curious to have a play that it, there was like a booking system to get onto a computer. I dunno if that was the case.
[00:10:17] Thomas Raef: not so much. I went to, Barrington High School. I lived on the, bad side of the tracks, but Barrington High School was, the district we were in, and it was very, very well to do, high school. So whatever arrangements they made with Purdue, I have no idea. But,
[00:10:35] Nathan Wrigley: Yeah.
[00:10:36] Thomas Raef: yeah, I could get on, I, I would stay late.
I'd get, I'd go to school early, and have the janitor unlock the, the door to the room with the, teletype terminal in it, just so I could get on there, because I just, it just, oh, it was so fascinating to me. the first time I wrote a four next loop and realize that. There's no personality, there's no, you don't have to worry about emotions.
[00:11:05] Nathan Wrigley: It's doing
[00:11:06] Thomas Raef: what you tell it.
[00:11:07] Nathan Wrigley: it's, yeah. It just does what it's told and it does it reliably over and over again until you tell it to stop. Yeah.
[00:11:13] Thomas Raef: yes.
[00:11:14] Nathan Wrigley: Yeah. There's, no emotions to deal with. Yeah. There's no stroppy compute saying really another full next loop. Do I have to?
[00:11:22] Thomas Raef: Yeah.
[00:11:23] Nathan Wrigley: that's absolutely fascinating.
I, I love stories like that though, because there, there is something very, interesting about that interface where there's a physical connection, so the card. And the computer and, obviously we have the physical connection, we've got the keyboard, but it, there's just something about that era and the way that you had to interact with those interfaces and, what now looks like.
I know purgatory basically, from a modern computing perspective, that stuff just looks crazy, but
enormously fascinating at the same time. And also you were probably in a tiny minority of people who are, interacting in any way with Com computing. And so that also provides a sort of special, a special place.
You're, in your own little club, your own little world. You've got a gang of similar people, whoever they are and wherever they are, I don't know. But yeah. Anyway, sorry I completely
segued, but
[00:12:22] Thomas Raef: It was, yeah. Walking around with your homework, which was a stack of IBM cards, with a rubber band around them. PE you got called every nerd name in the book,
[00:12:35] Nathan Wrigley: Yeah, but look where it got you. Look where it got you.
[00:12:38] Thomas Raef: Yeah. And but the, the, big prank back then was if you saw somebody's, stack of IBM cards
[00:12:47] Nathan Wrigley: I know
[00:12:47] Thomas Raef: cafeteria.
Yeah. You walk over and you shuffle 'em
because those things have to be in
sequence.
[00:12:54] Nathan Wrigley: no. Oh, good grief. So, oh, I remember seeing a photograph of the, the lady who was responsible for the, the computing that went on to get the, Apollo missions safely landed on
the moon. And there was this stack of, so it didn't look like cards. It, looked like, we, we call it a four, but, fairly large paper bound books, and that stack of paper bound books were taller than she was.
So I'm, guessing she was like mid five foot something or other. This stack was probably about seven or eight feet, and she wrote the entire thing. In pencil. Ah, how, do you not make mistakes when you're writing things in pencil and some piece of logic that's six foot further up the stack?
You gotta, what incredible. but also I think that, it probably did create a really, I dunno, it, it just began that whole thing and people like you were pioneers and, and I'm just fascinated by that whole thing. It, probably, has no weight in your life. You probably don't think about it on that level, but from where I'm sitting, it's fascinating that people like you did things like that.
That's lovely.
[00:14:08] Thomas Raef: Yeah, I totally appreciated the, opportunity that was, gifted to me basically. because I remember as like a. 13, 14-year-old kid. we'd go to church on Sundays. My dad would buy the, Chicago Tribune, which is this big thick newspaper. And, I had two brothers and my mom, my dad, so everybody would grab their own sections of the paper.
And I was just like, okay, well what's left? Well, I'd, look through the job ads. 'cause I, I was always curious like, what am I gonna do for the, for my work, when I get older and back then it was called data processing and I'd opened up that data processing section and I had no idea what any of those terms meant for Tran Cobol, IBM three sixties, three seventies, this, that I had no idea what any of this stuff was, but it felt like home.
It felt like that's where I
belonged.
[00:15:08] Nathan Wrigley: These are my people. Yeah.
[00:15:09] Thomas Raef: yeah. Yeah. It was just so, anyway, But yeah, so that, that's, what got, my start. but, so like I said, I'm programmer from way back, so getting all these malware, remediation requests from Bluehost, I had to start automating things like fast and, because I remember going through and analyzing, JavaScript, malicious JavaScript, and doing it like one character at a time to build the word and, so I was like, yeah, okay, this isn't gonna work.
So I started automating more and more, and I'm a, became a pretty good Python programmer. And, just automated a lot of it so I could, and then you gotta think about outside the box. Okay. it wasn't just WordPress back then. You had Jula, gosh, I can't
remember all
[00:16:08] Nathan Wrigley: there's Drupal. There
[00:16:10] Thomas Raef: Yeah. Drupal,
[00:16:11] Nathan Wrigley: Lots and lots. Yeah.
[00:16:12] Thomas Raef: So, but right back then Jula and WordPress were about neck and neck
[00:16:19] Nathan Wrigley: yeah,
[00:16:21] Thomas Raef: so you gotta figure out things for both of them. And, but anyway, so we, we started handling more and more, but one thing I did for some reason, maybe just 'cause I'm a pack rat, you talk about your box of, of cables under your stairs there, I, I saved all the malware files that I've ever looked at.
[00:16:45] Nathan Wrigley: Oh.
[00:16:46] Thomas Raef: I just, kept storing them on, back then,
[00:16:51] Nathan Wrigley: Yeah. Paper cards.
[00:16:53] Thomas Raef: yeah.
[00:16:55] Nathan Wrigley: Yeah.
[00:16:57] Thomas Raef: so I just kept saving them and saving 'em. So, now we've got, well over 300 distinct, 300,000 distinct malware samples. And, so in the age of ai, I was like. Okay, these things are finally gonna come, come in handy. 'cause I use those to fine tune an AI model. So you take an existing AI model, like not chat, GPT, some other one that you, are comfortable with.
And you go through this process where you fine tune that model so that it focuses only on website malware. It, you could ask it, how to, how to bake a cherry pie and it won't know because it's forgotten. it's, you've basically eliminated that from, its database of knowledge.
And so all it knows
[00:17:55] Nathan Wrigley: quick question? At the, at this point, does the, so that's really curious. So you've got this model that you're training. does the older stuff, so the first few files, let's say the first few hundred or thousand or whatever, do they, have any weight in the, training that you are doing?
[00:18:13] Thomas Raef: Oh yeah,
[00:18:14] Nathan Wrigley: and do they have an equal weight, if is there an equal amount to be learn by things which are now you might call obsolete or out of date? I'm just curious. 'cause I'm really not sure how that would map into the, overall training.
[00:18:26] Thomas Raef: it's outdated. But when you think about what hackers wanna do with a website, they wanna redirect, they want to try to do a drive by infection, of the browser. somebody visiting a website so their, their, their methods or their, directives are still the same. So yes, it does, like even the old model, the old Sam malware samples that I have, do play, an equal role, as much as today's obfuscation techniques are different today, but.
The, when you break it down to behavior analysis, it's still the same.
[00:19:10] Nathan Wrigley: That's absolutely fascinating. so Thomas was very kind in that he sent me a, a report, let's call it that. He sent me A-A-P-D-F document of, some bits and pieces that he's been working on. it's fairly alarming, I have to say. but in equal measure. There's, some sort of that, I think there's a ray of hope towards the end.
It, so you, obviously lay out all of the, horrors that are available on the internet and then you talk about the bits and pieces that you can do. it was created, I think I'm right in saying, I dunno if there's any adaptation to this, but, the study was done in September, 2024. So
[00:19:46] Thomas Raef: Yeah. That, that, that's wrong. It was just, this was just this past
September,
[00:19:51] Nathan Wrigley: So September, 2025. Okay, that's great. And, it's called a case study insecurity, plugin failure. Honestly, I could stumble my way through that, but I, wonder if, let's just hand it to you and you tell us what you found that's gonna be the best use of time.
[00:20:07] Thomas Raef: Yeah. Basically during the, month of September, we, remove malware, from a hundred eleven, three hundred fifty 4,000, websites. And, many, yeah. So automation is my friend.
[00:20:27] Nathan Wrigley: Yeah. Yeah. Sorry, I
interrupted.
[00:20:30] Thomas Raef: well, yeah, we had just taken on, we had just made a couple of new partnerships and, they're like, well, we want everything scanned.
And so yeah, going through we're like, This is infected, this is infected. anyway, we found that the 21,752 of them, had both, word fence and mal care. And I'm not, this, isn't a slam against those two products. Not at all. I wanna be perfectly clear, on that I'm not out to, shame people or anything like that.
but, 1,377 of the, of those websites had I, them security installed as well. And what was interesting is even though it had, like most of the sites had two or three, security plugins on there, they were still, getting infected. But the really strange thing that I just stumbled on is that the hackers were disabling deactivating the iTheme security plugin.
[00:21:51] Nathan Wrigley: Yeah.
That's
[00:21:52] Thomas Raef: Not the other, two,
[00:21:54] Nathan Wrigley: Yeah.
[00:21:54] Thomas Raef: not the other two. Just iThemes. So a, is it easier to deactivate? they're all, because these were all, well, not all of them, but somewhere in there, 81% of these were stolen admin credentials was the,
[00:22:13] Nathan Wrigley: Oh, so they're logging into the WordPress backend. There's some capacity to do that. Okay. Right.
[00:22:18] Thomas Raef: And, whether it's an automated script or whatever, I don't know.
But, they're, they, log in, they deactivate the iTheme security plugin, then they add their, then they do their infections. Like they would upload, bogus, plugins, and activate those. so it was, so a. The, thing that first hit me was they must be more, the hackers must be more afraid of iTheme security than they are of word fence or mal
care.
[00:23:01] Nathan Wrigley: Is there any, difference in the way that they, so let's say for example, ithe security as opposed to, I, what's it called now? It's not called Ithe Security anymore, is it? It's called solid security.
[00:23:12] Thomas Raef: Solid. Yeah. Solid. Yeah. Solid
security.
[00:23:15] Nathan Wrigley: security. formally ithe security.
Yeah, that name is embedded in my head. I'll, I won't be able to shift over quickly either. The, is it that product does something differently once you are in the backend? So for example, in the case of Wordfence and mal Care, does it, is it more of a job of WAF kind of a firewall? So it's detecting traffic.
To and from the traffic, whereas does solid security. Oh, I got it. Right. Does solid security do more work? Identifying, I don't know, for example, plugins that are being installed, even if the admin has all the credentials to install them. Is, there something in that?
[00:23:53] Thomas Raef: Well, the, yeah, the, pro version of, solid security, has embedded patch stack. So patch deck, obviously focuses on plugins and plugin vulnerabilities and things like that. So yeah, maybe that's the reason. but I know word fence also scans, plugins. they, the two of them, patch deck and word fence have their own, bounty programs for identifying, new exploits or exploit vulnerable plugins.
and they pay bounties for that. But, so I, I don't know, maybe it's more comprehensive. Now, my first thought knowing, one of the things I like about solid security is. The use of, they have, you can use pass keys, or, trusted devices so you can lock down logins and stuff to trusted devices.
which, pretty much eliminates the way the hackers got in, the first
[00:25:05] Nathan Wrigley: Oh, that's interesting.
[00:25:06] Thomas Raef: stolen admin credentials.
[00:25:08] Nathan Wrigley: Yeah. Okay. So even if you've got the admin credentials, there's this other layer that you've got to get through because you are not on a device which has already been pre-authorized. we don't care that you've got the admin credentials. You're not on the correct device.
You're not coming in. Okay. Right. That's interesting. Yeah.
[00:25:24] Thomas Raef: So, maybe they, deactivated it now it. In, looking through the database and stuff, at this point I was in quite a bit of contact with, solid security people. so I'd dig through the database and say, okay, was pass keys or trusted devices even activated? And, most of the time, no, because, people think, oh, that's too much.
it's too much of a hassle to deal with, password or pass keys, trusted devices, all this other stuff. it could be maybe the hackers knew that, once people find out that their, site was originally infected due to a stolen admin username and password, that they would activate pass keys or trusted devices.
So they just deactivate that plugin and kinda remove that from the, equation. I, it's all speculation,
[00:26:23] Nathan Wrigley: Yeah. So I guess you're just reporting what you found, not without necessarily the, knowledge of why that was the case. Yeah. You, need to be on the phone to the hackers more. Thomas,
[00:26:34] Thomas Raef: Yeah.
[00:26:35] Nathan Wrigley: unfortunately, they probably won't get on the phone with you.
[00:26:38] Thomas Raef: No. No, they don't like me too much.
[00:26:41] Nathan Wrigley: No, I'll hold that. okay, so, so I guess the, so that, that sort of clears up that little bit. So 111,000 and climbing, websites that you found that had, infections on them. this is staggering number. and then there's this whole thing about word fan smell care, I think, or solid security.
But then, we move on to the kind of the root cause of why. Those, hacks were enabled or why they were able to take place. And this sort of stuff is so curious. Some of it is so counterintuitive to me, at least. Anyway, so run through what you found. It's fascinating.
[00:27:20] Thomas Raef: Yeah, we found that like 81% of those sites were infected with stolen admin credentials or hijacked authentication cookies.
[00:27:30] Nathan Wrigley: Oh, you see, that's just not the kind of messaging you get in the wider world, is it? You get, a different message, 'cause basically what you are saying is these people have the right to log in somehow they've gained the, credentials to successfully log in as an actual user.
So everything's benign to the website or any security measures at this point? 81%. Oh, it's not some sort of automated attack. Okay. Sorry, I interrupted. Carry
[00:28:01] Thomas Raef: No, you're fine. yeah, and typically, like if I go on, oh, what's, I can't think it Reddit or Quora, some of those, and people are talking about, oh, my website got infected. I gotta find out how and blah, blah, blah. And nine times outta 10 people are like, oh, you must have installed a null plugin.
It's
[00:28:27] Nathan Wrigley: Plugin gets, plugin is the easy default to reach for, isn't it? Because I, I guess there's a real, like from a, from I, obviously I'm no expert in any way, shape, or form, but I can hook my understanding onto that. There's a real easy platform for me to go. Oh, yeah, okay. That makes sense.
There was a, there's a plugin, it's got some sort of, I don't know. There's some malicious code that's been planted in there and it's on my website. That makes sense. But this whole idea of, wait, no, they've got my credentials. That is totally counterintuitive. And yet you are saying the ratio is like five to one.
or four to one, whatever. I've never been that good at math, unlike you. but it start 80% to 20%, something like that. 81 19. So how the heck are these people getting these credentials then?
[00:29:15] Thomas Raef: Well, let me ask you, you're on a Mac,
right?
[00:29:17] Nathan Wrigley: Yeah,
[00:29:17] Thomas Raef: What antivirus program do you have
on your
[00:29:19] Nathan Wrigley: I do not. No, there you go.
[00:29:22] Thomas Raef: Bingo.
[00:29:23] Nathan Wrigley: Okay. So it's like logging, it's logging on a device level, possibly on a pc, a Linux machine or something.
It's kinda tracking me around the internet, watching what I'm doing in like the browser and then just keeping the credentials when it, I'm guessing how that, is that it
more or less
[00:29:41] Thomas Raef: they have so many ways, like they, there's, they're constantly finding bogus, chrome extensions, All the time. And what are those things? you know where you're logging in. Oh, you're logging through your browser. Well, guess what? If you got a, if you got a, an a bogus chrome extension, guess what it's doing?
It's stealing all that information and sending it, cookies, your authentication cookies from logging into a WordPress site. Where's that stored? Oh, it's in your browser. Guess where that gets
sent?
[00:30:14] Nathan Wrigley: Yeah. Okay. That's interesting. So the, sort of threat vector then has, is moved from the, site to the device. So the iOS device, the Android device, the Mac, the pc, the Linux machine. Okay. That's really interesting. And again, that doesn't get talked about much at all either. In fact, never
in, I don't think
[00:30:40] Thomas Raef: That's, we've got, we just, had relationships severed with a, Small hosting provider and, who every time their sites got infected, we did a root cause analysis on it and it was like, so and so, and we could now because of, if it's a site that we're watching, we can tell 'em exactly which user was compromised.
so, which is not an easy task unless you have access to everything. But, we, continually tell 'em, no, this, Jane Doe of your customer has a virus on their system because you just reset the, password and hackers just logged in from a server at, wherever OVH, Hener Vulture, some, a server someplace onto your, onto their
website.
[00:31:43] Nathan Wrigley: Let, can I, just reprise this so that I'm sure that we're, so that, especially for the listener that we're, we've got the, through line running here. So basically what you're saying is that in the scenario you've just described, you've got this relationship with a company. They've got a problem with a website, so they give it to you.
You do the fine analysis and you can see that at some moment this user logged in. Change the password and then moments later, I'm imagining that user then logs in from this wherever the heck that is. So, although you don't have, you obviously don't have knowledge about how that happened, how that user's credentials were exfiltrated, you can see that it happened, that, that user is suddenly in, I don't know, like far off Afghanistan or Australia or some unusual place where they actually don't live.
have I got that right? Is that basically what you were saying?
[00:32:40] Thomas Raef: Yeah.
And in, in, the log files, it's easy for us because that same, one of the things that we, I try and impress upon customers is everybody gets their own login. none of this, [email protected] and you sh yeah. You share it, to your dev team. You share it to, tech support, you No, everybody gets their own, because that way we can track, who is doing what.
and so what we'll see is somebody, because we're also streaming the log files from websites to our servers,
[00:33:24] Nathan Wrigley: Oh, so you're capturing those in real time as well. So there's, so any amendments that they make to the log files are no. Or of no use, that they, you've got the real thing. Oh, that's fascinating. Okay.
[00:33:36] Thomas Raef: but it also gives us a clear picture of step by step. Okay, this person logged in from, let's say Germany, from a server in Germany, and they uploaded a, bogus plugin. we know it's bogus because of all of our checks and balances and blah, blah, blah. and, then an hour later, that same user logged in from Australia
[00:34:05] Nathan Wrigley: Okay. Yeah, they're very quick.
[00:34:07] Thomas Raef: Yeah. Yeah.
[00:34:08] Nathan Wrigley: Yeah. Got a real
[00:34:10] Thomas Raef: They took that tunnel,
[00:34:11] Nathan Wrigley: grade military aircraft too.
[00:34:13] Thomas Raef: Right. yeah.
but,
[00:34:18] Nathan Wrigley: I'm, guessing like, the way you are saying it, it sounds like, oh, all of this just drops out of the log files. I'm sure there's a lot of forensic stuff that you've got to do to actually gather this information yourself, but, okay.
I'm, following along. This makes sense. Keep going.
Yeah.
[00:34:34] Thomas Raef: Yeah, it's, but the, when, they're, you're faced with constant, pass, admin password, compromise. one of the best things to do is, use pass keys or two F or two A,
[00:34:58] Nathan Wrigley: Okay. Right now we're back to, we're full circle back to perhaps why a solution like solid security is on installed because they get rid of the pasky thing. Okay,
[00:35:10] Thomas Raef: Now, the problem is, that if they're, if they've hijacked your authentication cookies,
[00:35:18] Nathan Wrigley: Oh.
[00:35:19] Thomas Raef: authentication, cookies, bypass two fa. 'cause you're already
[00:35:23] Nathan Wrigley: You are you. Okay. So we probably need to explain that. So, it, the authentication cookie is something which sits in the browser, which is ha has been set to demonstrate over and over again. This is me. I am, I've already logged in. We don't need to do that whole thing again because here's the authentication cookie.
We just pull that. Are you, legitimate? Yes. Here's the cookie, and off we go. So, okay. So if you can steal that, you are you, wherever the heck you are, Oh, that's
[00:35:55] Thomas Raef: now, word WordPress automatically expires an authentication cookie after 48
hours
[00:36:01] Nathan Wrigley: Yeah. It's a long time to do some terrible work that
[00:36:04] Thomas Raef: or in, unless you, click that box that says, remember me when you're logging in. Then it saves the authentication cookie for two
weeks.
[00:36:12] Nathan Wrigley: weeks. Okay. Okay. right.
[00:36:15] Thomas Raef: That's a long time
to
[00:36:17] Nathan Wrigley: That is a long time. Yeah. But again, working on the basis that it's never gonna be exfiltrated from any machine. It, that, that would seem on the face of it to be a sort of sensible default. But what your study is revealing is actually no. people have figured out how to bypass this, so all bets are off.
Then if you get the authentication cookies, and let's say you've got 24, 48 hours or two weeks, you can do whatever you like. At that point, you just the, so long as it's done in the back end of WordPress, you're off to the races. Oh gosh.
[00:36:51] Thomas Raef: And what a lot, what we're seeing more and more of is, hackers are creating invisible admin users. So when you go into WordPress under users and you click on administrators, you have to look at the number. 'cause it'll say administrators five, but if it only shows
four, you have a hidden administrator.
[00:37:13] Nathan Wrigley: Okay. Yeah. Yeah. Okay. Okay. Well that's worth doing then. Everybody stop what you're doing now and go, and have a look at
[00:37:20] Thomas Raef: Log in.
[00:37:21] Nathan Wrigley: your WordPress. Yeah. Log in. Of course there is an easy solution to all of this and that is to log out, log out at the end of any session that you, of course we don't though, do we?
Nobody does that. Nobody does that. 'cause it's, gonna save you eight seconds the next time you log into the computer, but Okay. Okay. that's a startling development. Okay. Alright. Alright, carry on. Apologies I keep
interrupting.
[00:37:47] Thomas Raef: no, you're good. but yeah, so you know, this really, because we had such a huge month in September, excuse me, I'm gonna sneeze.
[00:37:57] Nathan Wrigley: No, it's okay.
[00:37:58] Thomas Raef: Oh. some of these stats, but said the, the one that jumped out at me. was the, solid security being deactivated? It's
[00:38:13] Nathan Wrigley: Yeah.
[00:38:14] Thomas Raef: like I said, it's, but it, we tell people all the time, well, they always ask, well, how can we stop these? like I said, this one that we just severed, relationship with, they, we kept telling them, in order to, to kill this, stop these infections, you need to put two fa on everybody's website.
And they didn't wanna do that because he said, oh, the, lockouts and the extra tech support is just gonna be too much for us. Okay. I,
[00:38:50] Nathan Wrigley: Oh yeah, that,
don't you think that's ri that genuinely is a fascinating response because like I can see that, like from their point of view that, that makes sense at this moment in time. That makes sense. I, we don't wanna deal with that extra thing, each time. 'cause there'll be tech support, but equally, h hang on.
Now think this through. What if this happens again? You've just wasted lots of dollars, lots of time
to, to solve a, different problem, a problem, which is potentially worse. That is a fascinating example of humans being human, isn't it? Just here's the evidence, here's the solution, but the solution's a little bit annoying, so we can't do that.
Yeah, I mean my, my mantra with security, it's very glib, but like basically anything which is secure is more inconvenient that there isn't really a trade off. If you want something to be more secure than it was yesterday, it's going to be slightly more inconvenient.
[00:39:55] Thomas Raef: pass passwords are, a hassle at times, and you gotta reset your password and everything. So. Yeah. you're right.
[00:40:05] Nathan Wrigley: but the, if your website gets hacked and you have to go through all this remediation support, emailing you, you have to weigh that up. I'm glad that I'm not in your industry. 'cause I imagine those conversations could be quite infuriating.
[00:40:19] Thomas Raef: Yeah. Yeah. They're, like I said, we try to, try and. Provide people with, solutions that make sense and I get Yeah, might, increase your tech support, but so does an infected
website. And
[00:40:36] Nathan Wrigley: yeah.
[00:40:37] Thomas Raef: when you have, we've had some with that particular situation where they were infected over and over again, well just put two a
[00:40:47] Nathan Wrigley: Well, to, I guess the, one thing that you're gonna get from a security breach is, and, you'll never get this from having to fill out a two FA, sequence of things. Whatever that two FA is panic. You're never gonna panic when you see two FA, but you are gonna panic if your website is breached in some way.
Or hacked. Or compromised. So, if you don't want the panic, then go for the inconvenience of two FA. Right. Let's move on. Let's talk about the regions that all of this sort of stuff happened. 'cause that's fascinating as well.
[00:41:21] Thomas Raef: Yeah, like I said, we, redid our entire, log streaming, like I said, on, on servers. so if you're with like, with, grid Pane or X Cloud or some of these people, we can stream your log files in real time to our servers. and we had, I had five banks of, these log aggregation, server farms throughout the world.
and each one could accept 20 million log entries per second.
[00:42:00] Nathan Wrigley: I'm just going to sit down and take a deep breath. Wow. Okay.
[00:42:06] Thomas Raef: But
[00:42:06] Nathan Wrigley: that's
[00:42:06] Thomas Raef: what we are fi we are finding with only five of these server farms that say only, but that. There was log files that were getting skipped because we're, ingesting so many, at one time it, wasn't enough. So now we broke it up. We now have 27 server farms around the world.
Not each one can handle the 20 million log entries per second, but it's regionalized, in a way that it's much easier to maintain. And we have basically, no, no log files are skipped. So, so we're streaming these. So it gives us some interesting information in our new system. And we found that, 73 to 74% of all traffic to United States, websites is malicious.
It's attack traffic.
Three. Yeah. Three outta four.
[00:43:17] Nathan Wrigley: I have, no words. Actually when, like you just say it like it's a line item, but actually if you sit down and think about that statistic, that's horrific. What have we done to ourselves? 70. So if you're in, if you're in the United States, 73 to 74% of everything flying around on the internet is quite likely to be some deliberately targeted attack.
That's not
[00:43:45] Thomas Raef: Yeah. I wouldn't say necessarily, everything flying around the internet, but everything going to websites,
[00:43:51] Nathan Wrigley: Okay. Thank you. Alright. Good clarification. Yeah. But still, an alarming figure and yeah, I guess it just goes to show how intense this is, how well executed it is. How well funded it is.
[00:44:07] Thomas Raef: Yeah, and it's so automated, we can see
[00:44:09] Nathan Wrigley: Yeah. Yeah.
[00:44:10] Thomas Raef: the, timestamps and the log files and, there's sometimes we've got, we're now automatically reporting, malicious traffic. So let's say, let's say there's a, a VPS provider in Europe or America, Canada. I don't care where they are.
they, have blocks of IP addresses assigned to
them.
[00:44:37] Nathan Wrigley: Okay.
[00:44:38] Thomas Raef: you can look those up. So what our system does now is every time we detect, malicious traffic coming to a website that we're watching, we. Gather that information for 24 hours and then we notify that VPS provider, Hey, these IP addresses have attacked these thousands of websites over this 24 hour period.
You guys need to send a notification to those people that are using your VPSs and let them know that they're infected.
[00:45:14] Nathan Wrigley: how does that relationship work? Do you have the back phone now that you've been doing this for a long time, do you have the hotline that you know, that notification that you send, do you find that it's taken seriously or is it hitting the, the inbox of somebody who's delete,
[00:45:32] Thomas Raef: no, because pretty much everybody has an abuse at
whatever their domain is.
[00:45:38] Nathan Wrigley: Right,
[00:45:39] Thomas Raef: now we also have to, like there's certain providers that perver, I prefer a for an XML format. It's called XAFI forget what XAF stands for, but it's, it's a standard format for abuse reports. So our system automatically generates those and sends those.
Now what we're coming into is there's one or two large, VPS dedicated server providers that say they want us to fill out their form.
And I'm
[00:46:18] Nathan Wrigley: manual process of filling out
[00:46:20] Thomas Raef: yeah, and that's not happening because on an average day, we'll come across 2000 IP addresses of theirs that, are attacking other sites, no, not happening.
And according to Icon, A-I-C-A-N-N or
whatever
[00:46:36] Nathan Wrigley: Yeah, that's right. Yeah. Yeah.
[00:46:37] Thomas Raef: they're supposed to maintain, and service and abuse at. address, but they, and they, or they'll tell us, well, we don't know which website, we just rent those servers out. We don't know which website on that server is, infected.
So you let us know that and then we'll notify the, people in charge. No, it's impossible for us. Unless I scan the, they might have 30 websites on a server
unless I scan all 30. No, I'm, no. Not my job on,
I hate to say that, but
I'm notifying you. Yeah.
[00:47:19] Nathan Wrigley: So, So, 73 to 74% in the United States. That, that, that's the most alarming data. it's not much better in Europe, but it's slightly better.
[00:47:31] Thomas Raef: Yeah. Europe is, 50, about 57%
[00:47:34] Nathan Wrigley: do you have any intuition as to why, Europe gets a different level of this than the
[00:47:39] Thomas Raef: Well, look at Asia Pacific, 34 to 37%
[00:47:44] Nathan Wrigley: but you've said, you said that's rising though, so year on year, is that getting that, was a smaller number last year and predicted to be a bigger number next year. Is it just that there are more websites there, so the attack surface is just bigger in North, in the United States, or is
[00:47:58] Thomas Raef: that's entirely
[00:47:59] Nathan Wrigley: value stuff or, yeah.
[00:48:02] Thomas Raef: No, I, but I think, I do think there is more, e-comm sites in the us Europe, maybe, maybe not as many Asia Pacific. I, don't really know, but,
there, I, I. So I saw those numbers and I was like, wait, what?
[00:48:28] Nathan Wrigley: yeah, it's.
[00:48:28] Thomas Raef: people say, well, what do I do with that?
I'm like, I don't know if you're, in the United States, move your hosting to Asia Pacific. I
[00:48:36] Nathan Wrigley: Yeah. Yeah. Yeah. Okay. You're decreased by a factor of three, the chances of something bad. Oh, that's a fascinating idea. Okay. Yeah. Okay. So, and then there's this little line item underneath, which I think is, again, just eye watering. So I'm just gonna read it directly. It says, the US data is particularly striking.
Nearly three out of four files we analyzed from US hosted WordPress sites are flagged as suspicious. I'm sure there's, maybe that number isn't quite as high in reality, it gives you an order of magnitude. This isn't random scanning. It represents persistent, elevated targeting of US infrastructure.
So, gosh, yeah.
[00:49:16] Thomas Raef: yeah, it's yeah. Like I said, I was, talking to some people at, Alibaba, they have hosting and they were like, yeah, have everybody moved their sites over to us?
[00:49:33] Nathan Wrigley: Yes. Yeah, we would love that. Of course, it won't take long for that statistic to go in the exact opposite direction if all everybody will be moving the hosting around to a different jurisdiction, this constant game of tennis.
[00:49:47] Thomas Raef: Right, right.
[00:49:48] Nathan Wrigley: are the stats this year? the least bad? We'll go there. okay.
And then the year is 2025, so we cannot ignore the next bit, which is ai. This actually, for me, I think represents the most interesting. And alarming bit. you've got a lot in here and, it's not difficult to imagine dear listener that, the, AI stuff is gonna get really good really quickly.
So tell us where we're at. You've called it the new arms racing WordPress security. So what are these, what are the hackers doing with their AI agents and bots, and how is it all getting deployed?
[00:50:31] Thomas Raef: Well, they're, it's, the more you read about AI and cybersecurity, it's usually about how companies like ours, and others, Palo Alto and all the other big players are incorporating AI into their workflows.
The hackers have been there already,
[00:50:57] Nathan Wrigley: Right. Yeah.
[00:51:00] Thomas Raef: they were way ahead of all of us. they picked up on that in a heartbeat. I hate to give 'em credit, but they're incredibly intelligent.
[00:51:11] Nathan Wrigley: Oh yeah. So we have this sort of notion of these sort of criminal people who are, in somehow, I don't know how to describe it. depraved or, somehow there's a screw loose. These are highly intelligent, I suspect that if you met these people in a, in the local bar, that they would look just like me and they're exactly the same.
They're just making a living in a very different way.
[00:51:37] Thomas Raef: Right. Well, that's, years ago I used to go to a Defcon out in Vegas, the, the Big Hacker convention. and, it was, right. It usually follows Black hat, black Hat is all the cybersecurity companies and stuff like that. Defcon is more the, like when I used to go, they always had a contest Id the Fed. they actually had a chart and if you could, ID the most feds, you won some kind of, meaning meaningless prize at the end, but it was, but yeah, and you look at those people and it's pretty tough. You now, if you got an FBI agent walking around in a suit and tie, you pretty much figure he's not a hacker.
he's, he's, definitely a Fed,
[00:52:33] Nathan Wrigley: Yeah. the, reward. Great. I would've thought, if you deploy some of this nasty stuff that we've been talking about and you do it successfully over a long period of time, I'm guessing you've got a high chance of early retirement. it's, it's not without its rewards.
and I'm guessing that actually catching these people is furiously difficult. stopping them in their tracks, stopping them, deploying what they're doing, that's the game for you. But catching these people, I imagine is a lottery sort of scale of, it, the chances are like lottery numbers.
You've got very little chance of actually catching these
[00:53:16] Thomas Raef: Right. I used to have a friend when lived up in Chicago. the, I had a friend always liked joking with me 'cause he knew nothing. He, every time I talked to him about computers, he's he'd call me box. He goes, box zeros and ones. so, but he always, he used to joke around with me.
He's do you ever think about going to the dark side for a year and then retiring and buying your own island? I'm like, no.
[00:53:44] Nathan Wrigley: oh, not even
once. You never thought I'd never entertained that. Even once. I'm surprised you're a better man than I am.
[00:53:52] Thomas Raef: but like years ago, the, I don't even know if they're still like around, but there was a group out of Russia called the Russian Business Network, RBN
[00:54:03] Nathan Wrigley: it sounds like so legit,
[00:54:07] Thomas Raef: but supposedly, and these are all rumors, so, don't hold me, to any of these.
But supposedly they were, Putin supported them. but reportedly they also made about, in a single year, a small team made about $4 billion
in hacking.
[00:54:32] Nathan Wrigley: go. Yep. There you go. There's the kind of
[00:54:37] Thomas Raef: it, I'm sure it pays, but yeah. No,
that constant looking over your
shoulders.
[00:54:42] Nathan Wrigley: Well, I suppose it depends where you live, whether you get, whether people are looking over your shoulder or not. maybe if it's state sponsored, then nobody's looking over your shoulder. Well, they are just to, see that you're doing a good job, That's kind. Okay, so, but Sorry, go
[00:54:58] Thomas Raef: No, go ahead. go
ahead.
[00:54:59] Nathan Wrigley: Well, I was just gonna say the piece that came out of the ai, well, what you wrote in the AI section was really interesting to me because I just had had this notion that what would be, happening? There would just be, a generation of code to perform these actions more quickly.
So just more code, more complicated code, more obfuscated code, all of that. And actually, no, what's coming out is so many more human types of activities. So the first one, a. what social engineering at scale? You've written AI generated phishing emails that bypass traditional detection and appear high, highly personalized.
Of course that's what you're gonna do. It makes total sense. But I, just didn't occur to me. So in the past, these phishing emails and what have you there, there was just something about them, alarm bells. we're going back right to the beginning of this sort of stuff. poor English, bad grammar that kind of didn't make sense.
It was easy. And then I'm guessing that, they just got better at writing English or whatever language you're consuming, but now I'm guessing they're like pulling on heartstrings or they're making it, finding out who your boss is and things like that. Oh,
[00:56:20] Thomas Raef: They can, they, their bots, their AI bots can scrape websites. So they know, when you have an about us or our company, link on your website, it scrapes all that information. it can dig through LinkedIn, it can dig through, all sorts of resources to come up with a structure.
I, had a neighbor again up in, when lived up in Chicago, worked for an accounting firm. He got fired because he transferred $400,000 out of a cust out of a client's bank account to hackers unknowingly.
But he was tricked
[00:57:05] Nathan Wrigley: oh,
[00:57:05] Thomas Raef: he did the tra, it said, it followed all the same procedures.
So obviously, again, this goes back to, local device hygiene,
cyber hygiene.
[00:57:18] Nathan Wrigley: yeah.
[00:57:20] Thomas Raef: if they, if you used a real easy to guess password for your email, and the hackers got in and they saw, like the workflow
[00:57:30] Nathan Wrigley: The sim, the actual legit sequence of events, they can just copy that legit
[00:57:35] Thomas Raef: just followed it. They, can spoof the email addresses
in there.
[00:57:40] Nathan Wrigley: course you're gonna do that.
[00:57:41] Thomas Raef: Build a, the whole thing that just looks so legit and it comes down to the person like, oh, okay, well there goes $400,000.
[00:57:51] Nathan Wrigley: really interesting actually. I, notice here in the uk I dunno what, the case is in, north America, but here, like financial transactions and things like that, there's been a lot of tightening up and some quite ingenious mitigations being deployed. So, for example, I've got several bank accounts.
One of them will phone me and I have to immediately type in a code, which I see on the screen, which is then immediately followed by another action that I've got to perform. So there's this sort of cascade of things, again, inconvenient, but I'm totally willing to do that when I'm transferring money from my bank account.
But other things like in app confirmation, so I'll try to do something, let's say on a, I dunno, purchase something in a bricks and mortar store and my phone will pop up and say, Hey. Is this actually happening? And, there's ways around it, I'm sure, but the point being that you can see that the financial institutions are adapting a little bit to these kind of workflow based attacks and stepping in and putting guardrails in place to, to stop those things happening.
But we're gonna miss out three for now. We'll come back to them. But the last one on this list, come on, what the heck? deep fake voice attacks. So voice cloning for CEO fraud schemes, targeting financial transactions. This is the stuff of nightmares, isn't it? You get,
[00:59:16] Thomas Raef: see Tom Cruise in the, in this scenario. Right.
[00:59:19] Nathan Wrigley: right? Yeah. Yeah.
Look,
[00:59:20] Thomas Raef: He's, fighting this group of people with these fake voices,
[00:59:25] Nathan Wrigley: but you can also, you get a phone call. I, can't remember what Google's product was, but they launched it many years ago. And the idea is that, it would do trivial things for you. Like you'd set it and it would order pizza for you. And it would actually phone up the place, it would order the pizza, that they would inject sounds of breaths.
They would inject like fake ums and ahs rise, and the fall of the voice was there. I can't remember what that service was called. I don't know if it even launched, but the point was that technology was available and it was a complete simulation of a human being and it would react in real time. So if you said something back to it, are you an ai?
It would,
[01:00:03] Thomas Raef: Yeah. Yeah.
[01:00:04] Nathan Wrigley: of course not. and you'd have to try really hard to figure out that was in fact an ai. And if your boss phones you up and that issues you with some instructions. I'm imagining that's fairly edge case, but nevertheless, it's coming, right? Oh,
[01:00:22] Thomas Raef: And it used to be, now I think one of the early times that you and I, did a podcast, you were using some tool that
could you where Yeah, where if there was a blip or something, you, it knew your voice from x number of minutes
of
[01:00:45] Nathan Wrigley: Well, so I'll tell you some interesting data around that. When I first started using that app, let's say it was about four years ago, because it, was roughly four years ago, I had to feed it 10 hours of uninterrupted audio in order for it to simulate my voice, and it did a reasonable job.
Back then, it was incredible, but by today's standards, it was a reasonable job. Now, six words.
And it sounds significantly better. Six words. In other words, somebody needs to capture one sentence that I say, goodness knows what I do. I how many sentences have I put? I'm really asking for trouble. and now that I've said this out loud, somebody's gonna can do it.
but yeah, that's all it took. Six, six words is now the, and i dunno if it's like a selection of words where, they've got all the vowels or whatever sounds in there, but the point is it's not hard to do. It really isn't hard to get. You could be on a phone call with somebody, imagine phoning up the bank teller and just getting them to talk to you for a bit.
Record it. Yeah. Boy. Yeah. So anyway, sorry. Segue, but interesting that,
[01:01:56] Thomas Raef: no, that's what the point I was making is, you know what used to take 10 hours now takes 10 words
[01:02:02] Nathan Wrigley: Yep. Yeah, it's not, absolutely not. So that is coming, I dunno how we get over that because the minute we've broken the trust with our ears and our eyes, we genuinely, we're in real, we really are in real trouble. It's almost like we're getting to the point where we have to live stream every single minute of our existence so that somebody can check and go, oh no, they didn't actually do that.
Look there, they were standing in Times Square at that moment when they should have been in China. Right? Okay. but heck, okay. And the other ones a little bit above my pay grade, some of this sort of stuff. So, polymorphic mal malware sounds dastardly is dastardly code that constantly changes. Its signature.
Its signature to evade antivirus detection. Oh, so not even the code is fixed.
[01:02:50] Thomas Raef: Right. No. And what they do is they'll use, certain, factors like the, website name, other things that they find on there. sometimes they'll pick like a, from a list of, installed plugins and they'll use one of those and, name it something very close to what one, to a plugin you already have on there.
Or they might put, we've seen sometimes where they'll take a standard plugin name and they'll put dash new
[01:03:24] Nathan Wrigley: Oh.
[01:03:25] Thomas Raef: dot version, three x blah, blah, blah.
[01:03:31] Nathan Wrigley: Oh, okay. Right, right. I'm just grasping what you're saying. So, okay, I missed that and now I think I've got it. So this is real time, scanning of your WordPress install. So in the past they would've had to come up with some generic file name that may have caused alarm bells because of its generic nature.
Now they see that you've got, I dunno, form plugin X and they change it to form plugin X new. And so in that way, they've gathered information, adapted the malware shipped it, but it's, so, so specific to your website that it's very likely to go undetected. Honestly. It's like evil genius stuff.
This isn't it. It's amazing.
[01:04:14] Thomas Raef: I mean, what they do is they'll copy all the files. So let's say you have this Form X plugin, they'll copy all those files into their new bogus form X dash new folder. Change the header of the, like the read me file. So it shows a new version and then one of the files buried deep inside the, their new bogus plugin.
We'll have infectious code,
[01:04:45] Nathan Wrigley: right. So
it, oh,
okay. Okay. So like in a plugin that might have literally thousands of files, they copy the entirety of it, except buried in there somewhere. Is one that, okay. Again, just
[01:05:01] Thomas Raef: or it'll pull, like we've seen some that it'll pull, it'll have one file and it'll pull a segment from this file, and then put it all together. And that's their malware string.
[01:05:15] Nathan Wrigley: Man. Okay. So it's not even one file that you've gotta detect. It's like a, combination of different files. It's just, imagine just imagining these people sitting around, coming up with this stuff. honestly it sounds ridiculous, but like the pleasure that they probably derive, oh, we could do this.
Yeah, sure, let's do that. That's a great idea. And they're having a great time over there. And we're all No,
[01:05:43] Thomas Raef: we're, all pawns.
[01:05:44] Nathan Wrigley: Yeah, exactly. They're just having a riot. Oh, okay. So that's the thing. Polymorphic malware, gosh. And then automated vulnerability discovery. And you use the acronym L ml.
I'm not sure what that one is. So
[01:05:59] Thomas Raef: machine, learning.
[01:06:00] Nathan Wrigley: Okay. Of course. Yeah, it makes sense now. Machine learning algorithms that rapidly scan code bases to find exploits faster than manual methods. Well, that was the bit that I, that was the only bit that I intuited. That was the sort of bit that I guess was obvious.
Oh, they're gonna use AI to scan things more quickly. So I guess that makes sense. And then credential prediction, AI enhanced brute force attacks using password patterns from leak data sets. Maybe I could have intuited that one as well. So just, pad that out a bit. What? What does that mean actually.
[01:06:30] Thomas Raef: Well, basically what they do, like when there's a, a breach, there's sites, that have the full data set of, stolen usernames and passwords. You know that from a, company breach. And so what they do is they feed all those, username and password combinations that's their data sets.
They feed all that into AI and says, okay, for this user, since we have, I don't know, 10 of their passwords for different sites,
[01:07:07] Nathan Wrigley: Oh, I
[01:07:08] Thomas Raef: predict, what other passwords they might be using.
[01:07:13] Nathan Wrigley: Oh, okay. Okay. So the curious thing there is, unless you are truly using a Rand function to generate a password, which is just utter gobbledy goop, it's highly likely that your random, I'm doing air quotes, that your random string that you came up with is probably not random as you think it might contain.
Things like your birthdate in the middle somewhere, or, appended to the beginning or the end, or I don't know, the name of your street or something like that. So these kind of things that were beyond the capability of humans to get into the prediction work. I've too much time now the AI can begin to, oh look, there's a pattern here.
They often appear to insert this string of numbers. Well, let's position that string of numbers throughout the otherwise run. Oh, again, I can see the hackers. They're having a great time.
[01:08:04] Thomas Raef: like predictive text, when you're typing an email, it's predicting what you're gonna say next. Well,
[01:08:11] Nathan Wrigley: it's,
[01:08:11] Thomas Raef: exactly what it's doing, except it's learned from previous passwords.
[01:08:16] Nathan Wrigley: Okay. Okay. So we, thus far we have, we've painted a picture of doom. The sky has fallen in, it's chicken, little territory. But the, final bit though is, is where the, sort of where we fight back, where we, where we plant our flag in the sand and say, no hackers, it's time to stop.
So what can we do? What can we do? In the advent of all of this ai, what are the, some of the things that allow, normal people to get a win?
[01:08:44] Thomas Raef: Well, like I said, we, fight back with ai, ourselves, that's what we do. And I'm not trying to, promote our services or anything like that, but, these are some things that, that need to be, people need to think about. and like for our stuff, our LLM, our large language model, we took a, base, AI model.
And we fine tuned it with our 300,000 plus, malware, samples. And, now that sampling, is fine tuned for specifically WordPress sites.
[01:09:31] Nathan Wrigley: Okay. Yeah. So it own, so it's only interested in that kind of information. It, doesn't really care that, prince Charles did this or that there's this latest news story. So, a generic LLM. Out there chat, GBT and what have you. it's got all the things you've just honed it down to say only care about the WordPresses stuff.
Okay. That's interesting. Alright. Yeah. And obviously you've got Toms of historic data that you've been saving. Now it becomes clear why you were saving it, even though it didn't seem like a
[01:10:01] Thomas Raef: yeah. Yeah, AI wasn't even around back in 2007, so,
[01:10:06] Nathan Wrigley: That's interesting. okay, so the LLM is fine tuned to be specific to WordPress malware.
carry on.
[01:10:14] Thomas Raef: and that's. the thing with security, when you're working with ai, it has to be fine tuned or designed for that particular, segment of the
industry,
[01:10:28] Nathan Wrigley: yeah, I, think anybody that's touched AI in any way, shape or form realizes that the one which is, has been worked on to do your task. Is the choice, right? It just makes more sense to, to, be less generic. Okay. So the next piece then, again, you're definitely gonna have to help me out here, entropy.
And I know what entropy means, but it go, here we go. It gets difficult entropy analysis for obfuscation detection, mathematically analyzes code structure to identify hidden malicious content even when heavily encoded. I think I get it, but I think I need you to help me out. What does that mean?
[01:11:04] Thomas Raef: there entropy helps you define, like it'll pick up on, on spaces, empty space in a file. random words, all sorts of, calculate, the, yeah. Mathematical analysis. And, it, when I first came across that idea, I was like, this probably can't really work. And as a, loan, indicator, no, it's not good.
But when you combine it with, other variables, behavior, a, new file inside of a, WordPress plugin folder, certain other, indicators, entropy becomes an incredibly strong indicator of, malicious
intent.
[01:12:05] Nathan Wrigley: Okay. That's fascinating actually. and buried treasure actually, but by itself no good, but heaped upon all the other indicators, it itself becomes a, good indicator. Okay. And then we've done one, two, and four, so I missed three out. So here we go. Behavioral analysis detects what, okay, this is the bit.
I think this is the, this is where it all gets really clever, because it's nev, nobody's been able to do this, I guess until this point, unless you manually inspected every line of code and tried to figure it all out. Behavioral analysis detects what code actually does rather than what it looks like.
So it's catching malware that traditional signatures miss. So it's figuring out what's actually going on, which I guess is like the golden goose. It's laying all the eggs here. this is the good stuff, right?
[01:12:57] Thomas Raef: Yeah. This is, when, I trained this, and this is another LLM of ours, when I trained this one and, tested it across, new strains of, of malware. and it just came back, like the one I told you where, you know, one file in a bogus plugin is malicious and it's pulling pieces from all sorts of other files and putting it all together.
[01:13:25] Nathan Wrigley: it.
could see it.
[01:13:27] Thomas Raef: our LLM is what told us that's what it was doing.
And then we went back through
[01:13:34] Nathan Wrigley: sorry. Carry on.
Apologies.
[01:13:36] Thomas Raef: no, we went back through and wow. Look at, it's pulling this and it's coming up with a B, and then it's pulling this from that file and it's an A and slowly it, spells out, base 64 decode, but there, that, that word doesn't exist anywhere in the whole thing.
[01:13:59] Nathan Wrigley: So this is the, bit that we've had. So when you read, WordPress articles in the security space, very often the article will go, here's the problem, and then there's this long explanation of what it did. And it's pretty clear that the unraveling of that long explanation of what it did took some.
Genius level coder, a long time to figure out, you had to go through line by line, inspect the whole thing. So hours, maybe weeks and days, sometimes don't know. But the point is that stuff, the difficulty of extrapolating that stuff was the big upper hand that the hack has had. The more difficult they make it, the, longer it takes to figure it out.
Now I'm guessing this stuff drops that advantage for them by orders of magnitude suddenly that time to figure out what the heck is going on can be really reduced to, I dunno, maybe seconds or minutes in some cases. I don't know how confident you are about that, but that's a real game changer. That one
[01:15:01] Thomas Raef: Yeah, it's, yeah, originally, like some of our stuff, it would come back and it, would take about 10 minutes, to do a full analysis. Which, like you said, it's better than days
and weeks, or hours. But, I wanted to get it better so we got down to the point where we were, it can now do some of it in under two seconds,
[01:15:29] Nathan Wrigley: Oh.
[01:15:30] Thomas Raef: so that makes it scalable, now it's scalable, 10 minutes.
It's not really scalable when you're dealing with, millions of websites.
[01:15:41] Nathan Wrigley: are. Yeah. Yeah. That's fascinating. So I'm gonna guess though, that if you are doing this and the hackers see their beautiful advantage of time rapidly disappearing, the cat and mouse game, that is no doubt what you are dealing with. That presumably then just spurs them to get more creative and, so you're in a different cat and mouse game now with ai and I can only imagine like you are in bed asleep at night and the, your AI is having a conversation, is trying to figure out what their AI is doing.
And it's just this whole AI stuff going on in the background.
[01:16:18] Thomas Raef: it's, yeah, it gets pretty, fascinating and that's why, like I said, you know what, at my age I'm still, deeply entrenched in this because it's just so fascinating and I refuse to
lose.
[01:16:31] Nathan Wrigley: Yeah. Yeah. Good for you. Yeah, we need, we, need more of you. That's great. So the very final piece, and I confess, this is where I dropped off on in my capacity to understand. so that was how to fight back with ai. But then you've got this thing, which almost seems like the magic bullet. you've got this section called the defender's Advantage, mathematical in variance.
And I'll just read it. Maybe the audience can immediately latch onto it, if, but then maybe you can explain it more. Here's the key insight that gives the defenders an edge. Hackers cannot change the fundamental mathematical properties of their code without break, without breaking its functionality, no matter how much they obfuscate, certain signatures remain.
Is that a little bit like what you were saying there, where they've obfuscated it so that the construction of the word base 64. was obfuscating it, so the word base 64 never appeared anywhere, but it be, could be reconstructed, but at the end they still need to write the words base 64 somewhere. So it doesn't matter what they do, they still need to resort to things which are inspectable no matter how creative they become, like hiding them, they still need to do the thing which is predictable and rely, have I got that right?
[01:17:44] Thomas Raef: Yep.
[01:17:45] Nathan Wrigley: Okay, good. Oh,
[01:17:46] Thomas Raef: Yeah. Yeah. they can't, they can use, ROT 13, they can use, base 64. They can use combination of everything. but it all comes down to those are the basic obfuscation functions.
[01:18:02] Nathan Wrigley: right, right. And so the, there is light at the end of the tunnel if those things are immutable and those truths have to be met at some point in whatever they're doing. So long as you can keep up with, long as your AI can keep talking with their AI and figure out what the heck's going on.
[01:18:20] Thomas Raef: right.
[01:18:21] Nathan Wrigley: oh, this is so fascinating, Thomas.
Okay. Just like finger in the air stuff 2026, like how, much many orders of magnitude faster do you imagine this is gonna go? So I guess I'm asking you to stare back a year and see how much the AI stuff has developed. Has it been as remarkable as one might, might imagine, or has it been actually something that you've been able to cope with and keep up with?
[01:18:51] Thomas Raef: the, the egotist in me says that, we've been able to keep up with it, but, in in a, face-to-face shootout, yeah, I don't know. It's, I, think this next year, 2026 is going to, really separate, Security companies
because more and more are fully adapting, ai, but knowing how the hacker mind works, hackers know how AI could be used to defeat them.
Therefore, they have the upper hand there.
[01:19:41] Nathan Wrigley: Yeah, I guess the interesting, like easy to understand analogy is the hackers only need to get it right once, in order to get in, and then they're in, and they can have a thousand, 10,000, a million failed attempts, but at the, but the cost of compute and the scale at which, AI can increasingly do things, it's pennies.
Maybe. I don't know if that's true, but The, cost of this sort of stuff seems to be coming down fairly rapidly and like you say, that, like I say, sorry, they only need to get one success to make, to have made the whole enterprise for that day worthwhile. Whereas you've got find the 10,000 that they failed at, but also the wom. That they succeeded at. So yeah, it's it's like a weighted version of cat and mouse, and it seems like it's, weighted in their favor. We, need all these people to go and sit on the naughty step, Thomas, they need to just have a long, hard think about what they're doing.
[01:20:39] Thomas Raef: Yeah. Well, that's the thing, when, we look at, the number of IP addresses that we report to these VPS providers, we, we do that because we know it takes seemingly a large chunk of the hacker's inventory away from them.
now they have fewer IP addresses to launch their attacks
[01:21:02] Nathan Wrigley: Yeah.
[01:21:04] Thomas Raef: we'll never eliminate all of 'em because, they just have too many resources. But yeah, it's, a, constant chipping away at, what they can do and how they can do it.
And.
[01:21:18] Nathan Wrigley: yeah. Well, I am, I'm very glad that you are fighting the fight on our behalf. is there any place where, could I find a link to this report? 'cause you've obviously spun it up as a PDF for me. Do you have this as a Post anywhere
[01:21:33] Thomas Raef: Yeah, I think it's on our website, even though our web website is quite ugly. And I've got some other stuff I'm posting in the next couple of days, talk about our ai, evolution
here at We
[01:21:49] Nathan Wrigley: in, yeah. In which case what I'll do is I will link to the, we watch your website, blog role or homepage and maybe a variety of different places. If I can find this one, I'll link to that as well. But, what a fascinating body of work. genuinely, it's a fascinating conversation. It's. what kinda makes it more spicy is it's, it like, it's got this adversarial nature to it.
we all go to the cinema to watch films where there's a badie fighting a goodie. we nobody goes to the cinema to watch people talk about UI and UX, if 'cause it doesn't have that level of excitement. And yet this does, it's absolutely fascinating. all humanity is here.
Thomas, thank you so much for chatting to me today and, I wish you all the best in the year 2026. Let's hope your AI keeps up with their ai. Thank you
[01:22:38] Thomas Raef: Yeah, hopefully. Thank you very much, Nathan.
[01:22:41] Nathan Wrigley: Okay. That's all we've got for you today. I'll fade in some cheesy music just in a moment, but just one more reminder. If you like what we're doing over here and you would like to help us out, wpbuilds.com/advertise, to find out about sponsorship options. You could get your company or service out in front of our WordPress specific audience. You could also send me an email [email protected].
Okay, that's it. I hope you enjoyed it. If you did head to episode number 456 on the wpbuilds.com website, and once you're over there, why not leave as a comment. We would really appreciate that.
Alright, quick reminder that we're back on Monday for the This Week in WordPress Show, we do that live every week. wpbuilds.com/live, 2:00 PM UK time, and we'll have another podcast episode for you next Thursday. Okay, stay safe. Here comes some really dreadful cheesy music. Have a good week. Bye-bye for now.
