Fake WordPress site releasing backdoored code

Don’t mistype “wordpress.org” because you could end up downloading compromised code. Some hackers have set up www.wordpresz.org. The code sends cookie contents to a hacked program hosted on wordpresz.org and could expose passwords and other identifying information.

UPDATE – Looks dead now.

The backdoored pluggable.php file attempts to send the stolen data to wordpresz.org/tuk.php which is still accepting cookies if the requests are properly formatted. The spoof is a nearly perfect combination of social engineering, typosquatting and the natural EstDomains connection as the domain registrar, nearly perfect in the sense that they couldn’t duplicate the whole WordPress.org potentially raising suspicion at the end user’s end.

The site is on the same IP address as a fake pharmacy site, proving that scammers always ring twice.