Over 6,000 WordPress Hacked To Install Plugins Pushing Infostealers (bleepingcomputer.com) 32
WordPress sites are being compromised through malicious plugins that display fake software updates and error messages, leading to the installation of information-stealing malware. BleepingComputer reports: Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware. In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.
Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns. "The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."
The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names. Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign. When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site. When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners. From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.
Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns. "The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."
The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names. Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign. When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site. When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners. From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.
Wordpress is a massive security risk... (Score:5, Informative)
Wordpress is a massive security risk/vector that serves cross functional purposes as a Content Management System (CMS). Just like how Microsoft Outlook, (nay Teams!), also does email.
Re: (Score:2)
Two organizations I have absolutely no choice about working with use Teams. I've done what I can to protect myself, but I believe it's just a matter of time before one or both of them fall victim to some kind of hack. I only hope they don't drag me down with them.
Re: (Score:3)
We use it at work but we don't put any confidential data into it.
That way, when it inevitably gets compromised, no problem.
It certainly does suck, though. My favorite thing is when it gets disconnected but doesn't tell you. This never happens with the web version but often does with the standalone. It happened more in v1 than it does in v2, but it still happens.
Re: (Score:2)
Let me tell you a little story. I was just working with a client and they told me a story which was extremely confidential, and then the very next time I used faceboot the algorithm chose to show me one of their posts, and I don't even run the app but rather use it through firefox with a bunch of ad blockers.
I don't trust that any non-OSS anything isn't spying on me, and I don't necessarily trust that either.
Re: (Score:2)
Makes your skin crawl, doesn't it!
Re: (Score:2)
Agreed. My concern isn't so much with my own security practices, but the people I have to deal with are appalling. I have reserved one machine, which is as isolated as I can manage, just for them. My router is a good one, and I patch and back up regularly. Basically, there's no low-hanging fruit, and I'm not important enough to warrant a lot of time and effort. My hope is that if either of these groups gets hit, any damage will be confined to the one expendable computer.
Re: (Score:3)
Wordpress used to be terrible, but more recently (like maybe 10 years or so) it's almost always "bad plugins" that are the problem, and not the core or the main "decent" plugins. Everyone's got bugs, but as I say, *mostly* it's the lesser used plugins that have the issues.
Either way, 6000 sites could probably be just one hosting provider - it's probably one cheapo provider who thought it would be good to pre-install something or other for their users. Or maybe they're even managed sites, and the end custome
Re:Wordpress is a massive security risk... (Score:5, Informative)
Wordpress used to be terrible, but more recently (like maybe 10 years or so) it's almost always "bad plugins" that are the problem, and not the core or the main "decent" plugins.
Step one: Go here https://patchstack.com/databas... [patchstack.com]
Step two: Click the menu that says "Everything Wordpress" and change it to "Wordpress core"
Step three: Enjoy the list of XSS vulnerabilities in core which occurred this year.
The cancer of the internet (Score:2)
That would be WP, its filthy plugins and all those WP "developers" clogging the net with their particular brand of insecure garbage.
The meltdown going on right now is proving to be immensley entertaining.
Re: (Score:3)
Re: (Score:2)
a lot of what is on WordPress sites today will next be only found on Facebook.
This is the modern-day equivalent of bemoaning the death of geocities
We will survive.
OMG, 0.00000001% of ... (Score:3)
... WPs installbase compromised by some shitty plugin installed by people who shouldn't be let near a keyboard let alone a WP admin account. We're all gonna die!
Once again the exploit was caught a few hours in and no harm was done to anyone who knows what he's doing with his WP setups.
Nothing to see here, move along.
Re: (Score:2)
... and no harm was done to anyone who knows what he's doing with his WP setups.
would that be 0.00000001% of that 0.00000001% compromised userbase (by these particular plugins)? i always wondered why people who knew what they were doing used wordpress and its plugins in the first place.
anyway, the average wordpress site i've seen usually shows years of abandon and a spam overgrowth in the comments section.
Re: (Score:2)
i always wondered why people who knew what they were doing used wordpress and its plugins in the first place
Ease of use. Not everyone has the time, even if they have the knowledge, to build numerous websites and customize them to their specific use cases. But, more often than not, if you have a need for a website, there is a Wordpress plugin out there which can do what you need.
I currently manage Wordpress sites which serve as activity information websites, office inventories, help desks, knowledgebases for employees, etc, all of which are hosted locally. It is far easier to download and install Wordpress and a f
Re: (Score:3)
powers
Infects
Who are these people? (Score:4, Interesting)
My 80+ year old mom knows better than to install or click on random shit. She won't even click on legitimate things she doesn't recognize.
Who are these people installing random ass plugins and who are these users running random crap on their PC from stupid pop ups?
It's mind boggling. Maybe it's better all these people get fucked computers and just leave the net.
Re: (Score:1)
Re: (Score:2)
We need Interneter licenses. /s
Oblig (Score:4, Funny)
Obligatory xkcd [xkcd.com]
Re:Oblig (Score:4, Funny)
so... (Score:1, Funny)
WP Crowdstrike (Score:3)
Crowdstrike took down a zillion machines by pushing a bad update. That happened because Microsoft provided access to a Windows API that Crowdstrike and other similar tools use that can take down the OS. WP Plugins suffer from the same general problem: The plugin API isn't secure enough. It's time for a new plugin interface designed for security. It's either that, or WP fades and eventually dies.
Creator of WP says... (Score:2)
Everyone really needs to migrate away from the curse. The creator of WP seems to want you to.