Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Security

Keylogger Found On Nearly 5,500 WordPress Sites (bleepingcomputer.com) 83

An anonymous reader writes: Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner. The malicious script is being loaded from the "cloudflare.solutions" domain, which is not affiliated with Cloudflare in any way, and logs anything that users type inside form fields as soon as the user switches away from an input field. The script is included on both the sites' frontends and backends, meaning it can steal both admin account credentials and credit card data from WP sites running e-commerce stores. According to site source code search engine PublicWWW, there are 5,496 sites running this keylogger. The attacker has been active since April.
This discussion has been archived. No new comments can be posted.

Keylogger Found On Nearly 5,500 WordPress Sites

Comments Filter:
  • Noxious flatulent gas clouds are flammable and prone to flare up. Avoid that risk by banning cloudflare from your world.

  • They don't say if it's WordPress itself or in a popular plug-in.

    • by Anonymous Coward

      The websites involved are irrelevant. The software they're running is irrelevant.

      The real problem here is JavaScript, and more specifically, how JavaScript has pretty much no legitimate uses but a huge number of illegitimate, unwanted uses.

      JavaScript adds nothing beneficial to the web. Some people will claim that JavaScript + AJAX can allow for a better user experience, but that's nonsense.

      Just look at a site like Slashdot. The more that JavaScript has been used here, the worse the user experience has gotte

  • by bluefoxlucid ( 723572 ) on Thursday December 07, 2017 @11:19AM (#55695099) Homepage Journal

    We need to switch to cryptographic authentication. FIDO U2F makes a lot of this moot.

    With some software put in place at the CRAs, they could use FIDO devices to prevent opening new accounts. If you go into a bank with ID (Driver's ID, passport) and a FIDO device, the bank has done the best identification of you it can. Plug the key into a USB port in a computer, have the bank authorize trust establishment, and you generate 3 new key pairs--one for each CRA. The CRAs get the public key; the private key stays on your FIDO device. If it gets lost or stolen, call your bank, voice-verify, and they can cancel the trusts: your credit cards still work, but you can't open any new credit accounts until you physically enter a bank.

    Credit cards? Your computer should have an EVM reader. Google accepts FIDO U2F authentication; Google Wallet (or Verified by Visa) could readily authenticate you before accepting a transaction, providing EVM--cryptographic credit card transacting.

    Social Security? Walk into a DMV, Social Security building, or other Government building. They all federate trust. Generate a pile of new keys for all the Government service providers.

    The weakest link is really any Internet provider to whom you authenticate, since you'll need a method of recovery. Anyone handling credit card transactions should use the CRAs as a secondary: if you can authorize a credit check, you're probably you.

    You can lose personally identifiable information, but you can't lose authentication--not for any broad window, and not over the Internet.

Fear is the greatest salesman. -- Robert Klein