Labs Notes Monthly Recap

This month, our Malware Research and Incident Response teams wrote about several malware techniques that attempt to evade detection by focusing on small changes that website owners might miss. Examples include typos in domain names, unused top-level domains (i.e. .com, .solutions), and delayed banner ads.

Sucuri Labs provides website malware research updates directly from our teams on the front line. You can read past-monthly recaps to catch up on trends we look at every month.

WordPrssAPI Steals Your Cookies

Cesar Anjos

Cookies tell websites that your browser is trusted and let you stay logged into your website for a specific amount of time, or until you log out. We discovered an infected WordPress website that contained a piece of obfuscated JavaScript code that sends a browser cookie data to a fake WordPress domain.

By using a typo – wordprssapi[.]com – the attackers can evade detection by webmasters. This cookie-stealing backdoor allows attackers to hijack active login sessions for WordPress users – including administrators – as if they were still logged into the WordPress dashboard.

Titles, Imprints and Marks Left by Attackers

Jose Martinez

Some hackers like to leave their mark on websites. We see this most often with defacements that replace the homepage with some kind of message, often related to a political or hacktivist agenda. Due to the relative ease of a defacement, they are also common among beginner hackers – often called script kiddies.

This post shows a few examples of the thousands of variations on the theme of SEO defacements. These aim to change website title tags in order to prove elite status among other hacker groups or spread messages related to their particular cause.

WebSockets, Viagra and Fake CloudFlare CDN

Fernando Barbosa

Top-level domains (TLDs) are a new way hackers exploit vulnerable, unknowing webmasters. We found an infection that injects scripts hosted on an external website pretending to be a CloudFlare domain – cloudflare[.]solutions – including fake CloudFlare website content.

The WHOIS information shows it was purchased a few months ago by a Russian company. The external scripts loaded from this website cause a 15-second delay before rotating through banner ads and don’t show them again to anyone who has clicked the ad itself, or the [x] to close it.

Labs Notes Monthly Recap – Apr/2017

About Estevao Avillez

About Estevao Avillez

Reader Interactions