Researchers at Zscaler on Thursday said that the backdoor code implanted on the sites awakens when a user inputs login credentials
“The credentials are encoded and sent to an attacker website in the form of a GET request,” said researchers Sameer Patil and Deepen Desai.
Zscaler said it has identified one command and control domain, conyouse[.]com where the credentials are being sent. The researchers also released a partial list of compromised WordPress sites:
“The form containing the username and password input box has a fixed name as ‘loginform‘ in all WordPress sites,” the researchers said. “The preventDefault event method is used to cancel the submit event for “loginform“ entity and execute the alternate code which is present in this file. The login credential string is serialized and encoded in a Base64 format.”
Zscaler said it has not been able to determine the initial attack vector in this campaign.
“It is extremely important for the site administrators to keep their WordPress sites patched with the latest security updates,” the report said.
That message has extra meaning this week, which is slowly becoming a typical week for WordPress sites. Vulnerabilities were discovered and patched in two ecommerce plugins, eShop and TheCartPress, that put data sent through the two programs at risk.
EShop is a shopping cart plugin that has been downloaded 600,000 times, but has not been updated in two years. Researchers at High Tech Bridge discovered a validation vulnerability in the plugin’s HTTP cookie, putting user-supplied input in jeopardy.
TheCartPress, meanwhile, providers merchants with a shopping cart, catalog, and other ecommerce functionality. It suffered from a cross-site scripting vulnerability that put personal information at risk.
Another XSS issue was also found in Genericons, an icon package used by the Jetpack plugin and TwentyFifteen WordPress theme.
These issues surfaced less than two weeks after a zero-day vulnerability was disclosed and subsequently patched in the WordPress core engine, a rarity for WordPress security issues.