[wp-hackers] Viruses that look for open WordPress tabs in your browser?

Mark Slade markandrewslade at gmail.com
Fri Dec 11 14:15:11 UTC 2015

I am aware of a few ways this could have gone:

   - Compromised browser -- the victim's browser was compromised and
   malicious code is driving their browser to perform the attacks.  The
   browser automatically includes auth cookies and the attack succeeds.
   - Compromised OS -- the victim's device was compromised through the OS
   or some shady software they installed.  At this point the virus doesn't
   need to peek into the browser's memory space, it just needs drive the
   browser the way a regular user would -- simulating mouse clicks, etc.  WP
   trusts the browser so anything done by the browser will be trusted as
   well.  I'm not too familiar with this kind of attack so I'm not sure what
   OSes have what protections against this kind of thing, but I wouldn't rule
   it out.
   - Compromised network -- the victim's auth cookie was intercepted and
   the attacker just used that cookie from their own device to hijack the auth
   session.  For this to be the case, the attacker would've also needed to
   spoof the victim's IP since that's what was in the logs.  This is usually
   harder to pull off, but if the attacker is on the same LAN as the victim
   then it becomes a lot easier.  If the victim connects to WordPress over
   plaintext HTTP then this attack would be extremely easy to execute and it
   could appear to come from the same IP as the victim.


On Fri, Dec 11, 2015 at 8:45 AM, Scott Herbert <
scott.a.herbert at googlemail.com> wrote:

> I think Zeus (who's source code was leaked online) did a similuar
> thing with banking sites but that was on a PC. OSX (iirc) makes it
> much harder to snag the browsers memory space, nothing is impossabul.
> On 11 December 2015 at 13:08, J.D. Grimes <jdg at codesymphony.co> wrote:
> > I'm not an expert, but I've never heard of anything like that before.
> Isn't it possible that the connection was compromised and an attacker was
> listening in on the user, then stole their session and spoofed the user
> agent?
> >
> > -J.D.
> >
> >> On Dec 10, 2015, at 7:03 PM, David Anderson <david at wordshell.net>
> wrote:
> >>
> >> Has anyone come across the following before? Or is it potentially a new
> thing? (I've not read any such thing before).
> >>
> >> I'm examining a hacked WP site. The logs show that the site owner, the
> sole admin, was logged in, and working on it in wp-admin in a normal way,
> up until 02:52 on a certain day. Then absolutely nothing until 03:35. Then
> at 03:35, wham - a single GET followed by a load of POST requests to the
> plugin editor, one for each plugin, inserting hacker code. All from the
> admin's IP/browser (same user agent), and too close together to be human
> (i.e. obviously scripted). It's all the same IP and browser session, which
> is confirmed as the site owner's ISP.
> >>
> >> My inference from that is that the site owner, at 02:52, went to do
> other things, leaving the browser tab open. They got infected with a virus
> (or perhaps already were), and that virus hunted for open browser sessions
> logged-in to wp-admin, and used those sessions to infect the WP site.
> >>
> >> That's all technically do-able. But I've not previously heard of a
> virus (the customer has a Mac, and was using Safari), that does this. Is
> this a new thing?
> >>
> >> David
> >>
> >> --
> >> UpdraftPlus - best WordPress backups - http://updraftplus.com
> >> WordShell - WordPress fast from the CLI - http://wordshell.net
> >>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> --
> --
> Scott Herbert
> Web:  http://www.Scott-Herbert.com/
> Twitter: http://twitter.com/Scott_Herbert
> Linkedin: http://www.linkedin.com/in/scottaherbert
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list