Thousands of WordPress websites hacked via plugin looking to steal user data
Date:
Tue, 22 Oct 2024 18:20:00 +0000
Description:
Plugins are displaying fake popups, scaring WordPress users into downloading malware.
FULL STORY ======================================================================
A new variant of the infamous ClearFake (AKA ClickFix) malware has been detected in the wild, and has already managed to compromise thousands of WordPress websites.
Researchers from GoDaddy claim to have spotted a variant of this campaign, which installs malicious plugins to sites on the website builder . The threat actors would use the credentials stolen elsewhere (or bought on the black market) to log into the websites WordPress admin account, and install a seemingly benign plugin.
The victims are then enticed to download an update, which is just a piece of malware that steals sensitive data, or does something else but equally sinister. Thousands of compromised websites
In turn, the plugin displays the various popups, requesting the victims do different actions (all of which lead to the installation of infostealers).
The entire process is automated, GoDaddy is saying, and so far more than
6,000 WordPress websites have fallen prey.
"These seemingly legitimate plugins are designed to appear harmless to
website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users, the researchers are saying. The plugins are seemingly legitimate as they carry household names in the WordPress world, such as Wordfense Security, or LiteSpeed Cache.
Here is the full list of the plugins spotted so far:
LiteSpeed Cache Classic
MonsterInsights Classic
Wordfence Security Classic
Search Rank Enhancer
SEO Booster Pro
Google SEO Enhancer
Rank Booster Pro
Admin Bar Customizer
Advanced User Manager
Advanced Widget Manage
Content Blocker
Universal Popup Plugin
ClearFake is a type of malware attack weve all seen in the past - a website
is compromised and used to display a fake popup notification. This notification usually mimics an antivirus warning, or a browser notification, and informs the user that their computer is either infected with a virus, or outdated and therefore unable to display the desired website.
Via BleepingComputer More from TechRadar Pro Thousands of Zimbra servers attacked following email account compromise Here's a list of the best firewalls today These are the best endpoint protection tools right now
======================================================================
Link to news story:
https://www.techradar.com/pro/security/thousands-of-wordpress-websites-hacked- via-plugin-that-looks-to-steal-user-data
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)
