Malware Uses Fake WordPress API Domain to Steal Sensitive Cookies

Security researchers have found WordPress sites that were altered to secretly direct cookies for user and admin accounts to a rogue domain imitating the WordPress API.

Threat ID:: CC-1429
Category:: Browser-hijack
Threat Severity:: Low
Threat Vector:
Published:: 24 May 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Security researchers have found WordPress sites that were altered to secretly direct cookies for user and admin accounts to a rogue domain imitating the WordPress API.

Threat details

The attacker was sending stolen cookies to code.wordprssapi[.]com, a domain that was imitating a non-existent WordPress service.

The malware's purpose was to steal cookies and send it to the official-looking domain whenever a user accessed the site and loaded the JavaScript code. The cookie files for site administrators contain data that can be used to mimic the admin without needing to know the site password. This type of attack, named session hijacking, would allow the attacker to access the site's backend, make configuration changes such as creating a new admin account.

WordPress users that use old themes and plugins unwittingly expose their site to all sorts of vulnerabilities that can allow hackers to take control of their site.

While the WordPress team cannot force theme and plugin developers to keep their code up-to-date at all times, they do show warnings on the WordPress Plugins repo whenever users are trying to install outdated plugins.

Remediation steps

Type	Step
	Ensure WordPress sites are updated to the latest version and plugins, strong passwords are applied and plugins are kept to a minimum. Only use plugins from recognised and well maintained sources. Take regular backups of your WordPress site and database. If you suspect your WordPress site has been compromised change the password for all admin accounts and restore your site from a unaffected backup.

Type

Step

Ensure WordPress sites are updated to the latest version and plugins, strong passwords are applied and plugins are kept to a minimum. Only use plugins from recognised and well maintained sources. Take regular backups of your WordPress site and database.

If you suspect your WordPress site has been compromised change the password for all admin accounts and restore your site from a unaffected backup.

Last edited: 17 February 2020 11:34 am