[wp-hackers] Viruses that look for open WordPress tabs in your browser?
markandrewslade at gmail.com
Fri Dec 11 14:15:11 UTC 2015
I am aware of a few ways this could have gone:
- Compromised browser -- the victim's browser was compromised and
malicious code is driving their browser to perform the attacks. The
browser automatically includes auth cookies and the attack succeeds.
- Compromised OS -- the victim's device was compromised through the OS
or some shady software they installed. At this point the virus doesn't
need to peek into the browser's memory space, it just needs drive the
browser the way a regular user would -- simulating mouse clicks, etc. WP
trusts the browser so anything done by the browser will be trusted as
well. I'm not too familiar with this kind of attack so I'm not sure what
OSes have what protections against this kind of thing, but I wouldn't rule
- Compromised network -- the victim's auth cookie was intercepted and
the attacker just used that cookie from their own device to hijack the auth
session. For this to be the case, the attacker would've also needed to
spoof the victim's IP since that's what was in the logs. This is usually
harder to pull off, but if the attacker is on the same LAN as the victim
then it becomes a lot easier. If the victim connects to WordPress over
plaintext HTTP then this attack would be extremely easy to execute and it
could appear to come from the same IP as the victim.
On Fri, Dec 11, 2015 at 8:45 AM, Scott Herbert <
scott.a.herbert at googlemail.com> wrote:
> I think Zeus (who's source code was leaked online) did a similuar
> thing with banking sites but that was on a PC. OSX (iirc) makes it
> much harder to snag the browsers memory space, nothing is impossabul.
> On 11 December 2015 at 13:08, J.D. Grimes <jdg at codesymphony.co> wrote:
> > I'm not an expert, but I've never heard of anything like that before.
> Isn't it possible that the connection was compromised and an attacker was
> listening in on the user, then stole their session and spoofed the user
> > -J.D.
> >> On Dec 10, 2015, at 7:03 PM, David Anderson <david at wordshell.net>
> >> Has anyone come across the following before? Or is it potentially a new
> thing? (I've not read any such thing before).
> >> I'm examining a hacked WP site. The logs show that the site owner, the
> sole admin, was logged in, and working on it in wp-admin in a normal way,
> up until 02:52 on a certain day. Then absolutely nothing until 03:35. Then
> at 03:35, wham - a single GET followed by a load of POST requests to the
> plugin editor, one for each plugin, inserting hacker code. All from the
> admin's IP/browser (same user agent), and too close together to be human
> (i.e. obviously scripted). It's all the same IP and browser session, which
> is confirmed as the site owner's ISP.
> >> My inference from that is that the site owner, at 02:52, went to do
> other things, leaving the browser tab open. They got infected with a virus
> (or perhaps already were), and that virus hunted for open browser sessions
> logged-in to wp-admin, and used those sessions to infect the WP site.
> >> That's all technically do-able. But I've not previously heard of a
> virus (the customer has a Mac, and was using Safari), that does this. Is
> this a new thing?
> >> David
> >> --
> >> UpdraftPlus - best WordPress backups - http://updraftplus.com
> >> WordShell - WordPress fast from the CLI - http://wordshell.net
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> Scott Herbert
> Web: http://www.Scott-Herbert.com/
> Twitter: http://twitter.com/Scott_Herbert
> Linkedin: http://www.linkedin.com/in/scottaherbert
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers