Unusual Wordpress attack steals login credentials

Wordpress, the Internet's favorite content management system, is a common target for criminals who redirect innocent users to malware download sites.

But a new type of malware steals user login credentials instead, while leaving the rest of the user experience unchanged.

"It's an interesting attack -- we haven't seen this before," said Michael Sutton, VP of Security Research at San Jose-based cloud security vendor Zscaler, Inc., which recently issued a report about the malware.

"Wordpress tends to be a very common target for attacks," he said. "It's broadly used, but tends to be pretty insecure and not well maintained. Typically, they inject some code to redirect the browser to download malware on the machine to participate in some botnet."

The open source Wordpress software currently accounts for two-thirds of the content management system marketplace, according to W3Techs, and powers a quarter of all websites.

In this new attack, Wordpress pages are still serving up unwanted Javascript, but instead of redirecting users to a different site, it steals their credentials as they try to log in.

"That's a harder thing to detect," he said.

Sites that attempt to download malware are trying to install something on a user's machine.

"But if my credentials are compromised, I would have no knowledge of that," Sutton said.

So far, Zscaler has identified 18 compromised websites, each of which sends credentials to the same destination domain -- "conyouse.com."

If that domain name changes, Sutton said, Zscaler can still protect its customers by looking for particular code, variables, and behaviors.

Zscaler has published the request headers and the obfuscated Javascript code, as well as the list of known infected sites.

Until other security vendors start monitoring for this behavior as well, there isn't much that users can do to protect their login information from being stolen -- but they can minimize the potential damage.

"Do not ever use the same credentials in two different sites," Sutton said. "Now that there are some great password management tools out there, it's very easy to have a different very hard-to-guess password on every single site that you use."

He suggested that the reason the cybercriminals were stealing login credentials wasn't so much to be able to break into those particular user accounts on those individual sites, but to try to reuse the same credentials elsewhere, such as email or social networking sites.

"And because people commonly reuse credentials, they might have success there," he said.

Meanwhile, organizations running Wordpress sites can check the code of their websites to see if credential theft is taking place.

He also urged Website administrators to keep all their plugins, themes, and Wordpress installs patched and up-to-date.

He said that Zscaler only sees the visible Web pages, and has no access to the internal workings of the site, so he does not know how the malware got into the sites in the first place.

"There's no shortage of vulnerabilities," he said.

But they were able to see that all the infected sites were running either Wordpress 4.1.5 or Wordpress 4.2.2. The latter is the latest version of the software.

Tags cybercrimemalwarelegaljavascriptzscalerWordpress

Show Comments