Over 6,000 WordPress Hacked To Install Plugins Pushing Infostealers (bleepingcomputer.com) 19
WordPress sites are being compromised through malicious plugins that display fake software updates and error messages, leading to the installation of information-stealing malware. BleepingComputer reports: Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware. In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.
Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns. "The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."
The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names. Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign. When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site. When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners. From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.
Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns. "The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."
The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names. Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign. When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site. When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners. From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.
Wordpress is a massive security risk... (Score:3)
Wordpress is a massive security risk/vector that serves cross functional purposes as a Content Management System (CMS). Just like how Microsoft Outlook, (nay Teams!), also does email.
Re: (Score:2)
Two organizations I have absolutely no choice about working with use Teams. I've done what I can to protect myself, but I believe it's just a matter of time before one or both of them fall victim to some kind of hack. I only hope they don't drag me down with them.
Re: (Score:2)
We use it at work but we don't put any confidential data into it.
That way, when it inevitably gets compromised, no problem.
It certainly does suck, though. My favorite thing is when it gets disconnected but doesn't tell you. This never happens with the web version but often does with the standalone. It happened more in v1 than it does in v2, but it still happens.
Re: (Score:2)
Wordpress used to be terrible, but more recently (like maybe 10 years or so) it's almost always "bad plugins" that are the problem, and not the core or the main "decent" plugins. Everyone's got bugs, but as I say, *mostly* it's the lesser used plugins that have the issues.
Either way, 6000 sites could probably be just one hosting provider - it's probably one cheapo provider who thought it would be good to pre-install something or other for their users. Or maybe they're even managed sites, and the end custome
The cancer of the internet (Score:2)
That would be WP, its filthy plugins and all those WP "developers" clogging the net with their particular brand of insecure garbage.
The meltdown going on right now is proving to be immensley entertaining.
OMG, 0.00000001% of ... (Score:2)
... WPs installbase compromised by some shitty plugin installed by people who shouldn't be let near a keyboard let alone a WP admin account. We're all gonna die!
Once again the exploit was caught a few hours in and no harm was done to anyone who knows what he's doing with his WP setups.
Nothing to see here, move along.
Re: (Score:2)
... and no harm was done to anyone who knows what he's doing with his WP setups.
would that be 0.00000001% of that 0.00000001% compromised userbase (by these particular plugins)? i always wondered why people who knew what they were doing used wordpress and its plugins in the first place.
anyway, the average wordpress site i've seen usually shows years of abandon and a spam overgrowth in the comments section.
Re: (Score:2)
i always wondered why people who knew what they were doing used wordpress and its plugins in the first place
Ease of use. Not everyone has the time, even if they have the knowledge, to build numerous websites and customize them to their specific use cases. But, more often than not, if you have a need for a website, there is a Wordpress plugin out there which can do what you need.
I currently manage Wordpress sites which serve as activity information websites, office inventories, help desks, knowledgebases for employees, etc, all of which are hosted locally. It is far easier to download and install Wordpress and a f
Re: (Score:2)
powers
Infects
Who are these people? (Score:2)
My 80+ year old mom knows better than to install or click on random shit. She won't even click on legitimate things she doesn't recognize.
Who are these people installing random ass plugins and who are these users running random crap on their PC from stupid pop ups?
It's mind boggling. Maybe it's better all these people get fucked computers and just leave the net.
Oblig (Score:2)
Obligatory xkcd [xkcd.com]
Re: (Score:2)