Malware Uses Fake WordPress API Domain to Steal Sensitive Cookies

17May - by Dawood Khan - 0 - In News

Security researchers from Sucuri have found hacked WordPress sites that were altered to secretly siphon off cookies for user and admin accounts to a rogue domain imitating the WordPress API.

Secret Tool to Track Whistleblowers and Spies Used By CIA Leaked Wikileaks has just published a new batch of the Vault 7 leak, exposing the documentation and source code for a CIA project known as "Scribbles."Scribbles, a.k.a. the "Snowden Stopper," is a piece of software allegedly designed to embed 'web beacon' tags into confidential docu...

The attacker was sending stolen cookies to code.wordprssapi[.]com, a domain that was imitating a non-existent WordPress service.

Sucuri's Cesar Anjos says he found this malware during an incident response, hidden at the bottom of legitimate JavaScript files.

JavaScript malware designed to steal cookies

The malware's purpose was to steal cookies and send it to the official-looking domain whenever a user accessed the site and loaded the JavaScript code.

The target of this malware seems to be administrator accounts, and not regular users, who usually don't have accounts on the site, and their cookies are typically barren of any useful data.

On the other hand, the cookie files for site administrators contain data that can be used to mimic the admin without needing to know the site password. This type of attack, named session hijacking, would allow the attacker to access the site's backend, where he can then create a new admin user for himself.

DEA Spending $575,000 of Your Tax Money on Zero-Day Exploits The Drug Enforcement Agency (DEA) has been purchasing spyware from the Milan-based Hacking Team and its US subsidiary Cicom USA since 2012. Public records reveal invoices between Cicom USA and the DEA that have ranged between $22,000 to $575,000 from 2012 to 2015. Hacking Team...

Sucuri experts did not say how this code was loaded on the hacked site, but the WordPress CMS ecosystem is known to be quite insecure, thanks to a plethora of outdated themes and plugins. WordPress users that use old themes and plugins unwittingly expose their site to all sorts of vulnerabilities that can allow hackers to take control of their site, or as in this case, gain an initial foothold to carry out more complex attacks.

While the WordPress team cannot force theme and plugin developers to keep their code up-to-date at all times, they do show warnings on the WordPress Plugins repo whenever users are trying to install outdated plugins.

WordPress launches bug bounty program

Furthermore, yesterday, the WordPress team launched an official bug bounty program on the HackerOne platform.

The bug bounty program is now open to everyone, after the WordPress team ran it in private for a few months, during which time they awarded rewards of $3,700 to bug reporters.

The program covers all official projects such as WordPress, BuddyPress, bbPress, GlotPress, and WP-CLI, as well as all official sites including,,,, and

Leave a Reply

Your email address will not be published. Required fields are marked *