Threat Management, Malware, Network Security

Cookie monster: Researchers detect malware that steals cookies, hijacks WordPress sessions

Sucuri researchers recently observed a malware attack that injected obfuscated code into a JavaScript file in order to steal web users' cookies and hijack their WordPress sessions.

According to a Sucuri blog post published on Tuesday, the malicious script – discovered during an incident response investigation – included the fake, malicious domain "code.wordprssapi[.]com", where users' cookie data was sent. (Note the missing "e" in "wordprssapi".) Hackers used a typosquatting strategy to create a domain that looked very similar to that a real, legitimate web service in order to go unnoticed by webmasters. (As it so happens, the properly spelled "code.wordpressapi[.]com" has nothing to do with WordPress either, Sucuri notes.)

Regardless of the legitimacy of the domain referenced in the script, the act of sending cookies to another domain is "always a red flag," Sucuri noted, because "Cookies contain a wealth of private information that should not be shared."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.