Fake WordPress site distributing backdoored release

Fake WordPress site distributing backdoored release

Summary: Can you find five differences between these two sites? Wordpresz.

TOPICS: Security

Wordprezs FakeCan you find five differences between these two sites? Wordpresz.org may indeed look like WordPress.org, but the 2.6.4 release it's distributing is on purposely backdoored in order to steal the content of cookies from those who have installed it, potentially leading to to hijacking of their WordPress blogging platforms for malicious purposes. Not only is the fake domain registered several days ago, but also, it's sharing IP ( with a fake online pharmacy - livepills.com.

A brief summary by Sophos of Craig Murphy's alert issued on Monday :

"Craig talks about how when he logged in to his admin account in WordPress he received a “High Risk Vulnerability Warning” from a spoofed WordPress domain. (The last ’s’ in WordPress.org has been replaced by a ‘z’.) The Warning suggests upgrading to the ‘new’ version 2.6.4 of WordPress. Downloading this ‘new’ version of WordPress I found that of the 638 files in version 2.6.4, 637 were identical to the same files in the official 2.6.3. The only difference was in the file pluggable.php. The hacked version of the file pluggable appears to be stealing the content of cookies on larger installations of WordPress. Sophos are now detecting this file as Troj/WPHack-A."

Wordprezs FakeThe backdoored pluggable.php file attempts to send the stolen data to wordpresz.org/tuk.php which is still accepting cookies if the requests are properly formatted. The spoof is a nearly perfect combination of social engineering, typosquatting and the natural EstDomains connection as the domain registrar, nearly perfect in the sense that they couldn't duplicate the whole WordPress.org potentially raising suspicion at the end user's end.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • license?

    I assume this is legal under the GPL as long as they distribute their source?
    Larry Seltzer
    • nope, not legal

      It's legal for them to modify and distribute the code, sure, but making use of WordPress' registered trademark is definitely not legal.
  • RE: Fake WordPress site distributing backdoored release

    "I am a physician. When I was in active practice I was making an excellent income.
    I never had to worry about the cost of my medications.
    Once I retired my income dropped and I also had to buy all of my ever increasing list of medications.
    As the cost of medications was a substantial part of my family?s budget, I started searching for Online certified
    pharmacies that have lower prices. After investigating numerous pharmacies in the USA, Canada, Mexico and Europe:
    Universal Drug Store emerged as the undisputed champion. When I started dealing with UDS I found that ordering
    medication was simple and it is easy to get real people to answer your questions and they are knowledgeable and courteous.
    The medications I receive from UDS are in exactly the same factory packages as what I used to buy at my local pharmacy."
    NO PRESCRIPTION REQUIRED.100% Privacy, 100% Guarantee.
    KLIK HERE:http://krser.com
  • RE: Fake WordPress site distributing backdoored release

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>