by Michael Mimoso
WordPress site administrators just cannot come up for air.
With a raft of WordPress vulnerabilities—most of them in plugins—to address, now comes word that a number of sites running the content management system have been compromised and are sending credentials via a backdoor to a criminal group.
Researchers at Zscaler on Thursday said that the backdoor code implanted on the sites awakens when a user inputs login credentials
“The credentials are encoded and sent to an attacker website in the form of a GET request,” said researchers Sameer Patil and Deepen Desai.
Zscaler said it has identified one command and control domain, conyouse[.]com where the credentials are being sent. The researchers also released a partial list of compromised WordPress sites:
“The form containing the username and password input box has a fixed name as ‘loginform‘ in all WordPress sites,” the researchers said. “The preventDefault event method is used to cancel the submit event for “loginform“ entity and execute the alternate code which is present in this file. The login credential string is serialized and encoded in a Base64 format.”
continue reading on threatpost