WordPress users, beware! A fake WordPress site is distributing backdoored version of WordPress, which can steal credentials without the knowledge of users who installed it on their blog. The fake site looks and sounds similar to the official site and it distributes an extra file with the backdoored or fake 2.6.4 version, which Sophos reported as a Trojan.
Alert: Fake WordPress Site!
The issue came into light when blogger Craig Murphy reported that he received a “High risk vulnerability for WordPress users” warning from the fake WordPress.org site, after he logged into WordPress dashboard. The screenshot of his dashboard shows that the warning prompts users to update WordPress to version 2.6.4, which is not yet released. The update link directly links to a page in the fake site.
The fake WordPress site is Wordpresz.org (currently down), which looks similar, as the last ‘s’ in WordPress.org has been replaced by a ‘z’. After a comparison check by the experts at Sophos, it was revealed that out of 638 files in the fake 2.6.4 version of WordPress, 637 were identical to the official 2.6.3 version. The only difference was the pluggable.php file, which attempts to send the stolen data to wordpresz.org/tuk.php. Now Sophos detects this file as Troj/WPHack-A, which is a Trojan that sends information back to a remote website.
So, how this can happen? Peter Westwood of WordPress responding to a request by The Register, said that it a exploit of old and vulnerable WordPress code. He said:
It looks like sites which have not upgraded to 2.6.3 are being exploited in an interesting way whereby a hacker, probably using an automated script, is hacking into sites with the vulnerability and changing the settings of one of the dashboard modules to point to a different feed thereby encouraging people to go to a different site which is offering a dodgy upgrade.
It is definitely an issue of vulnerable files in old versions of WordPress. After looking at the screenshot provided by Craig, I can guess that it is somehow related to Snoopy vulnerability. Because in Craig’s blog, the warning appeared on the area where feeds are shown in WordPress dashboard and the vulnerability in Snoopy can be exploited to inject arbitrary shell commands via a script calling the “fetch()” or “submit()” function with an URL controlled by the attacker.
So, what lesson we can take from this? Or how to avoid this kind of attacks by fraudsters? The simple solution is downloading and using WordPress installations and plugins from the official WordPress site. Then we must update our installation, as soon as a security release is announced by the official site. One more thing! Always keep your eyes and ears open. Check a link in your status bar, before you click!
Subscribe via RSS
Connect via Twitter
Wow.. that is seriously scary. Thanks for posting as I hadn’t heard anything about it until now!
Thanks for the warning.I have stumbled it.I hope many WP bloggers will see the warning before they are hoodwinked by these malicious fellows.
Glad that I am on 2.6.3 now…
Thank you for the heads up. Without your post I am sure a lot of people may have fallen for this.
Thanks all for leaving your comments here. I hope that you will never face any problem from the fake site. @Clement, thanks for the stumble.
Happy Blogging!
woow! Thanks for the warning
Thanks for the information..
[...] you haven’t noticed, WordPress upgraded to 2.6.5 skipping 2.6.4 to avoid confusion of the fake WordPress 2.6.4. The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects [...]
Hello!
Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I’v just started to learn this language
See you!
Your, Raiul Baztepo