Published in News

WordPress sites hit by malicious plugins

by on23 October 2024


Encourages information-stealing malware

WordPress websites are being compromised through the use of malicious plugins that trigger fake software updates and error messages, ultimately leading to the installation of information-stealing malware.

 According to BleepingComputer, this issue has been around for a while, but has suddenly escalated.

Since 2023, a malicious campaign known as ClearFake has been employed to display fraudulent web browser update banners on compromised websites, which in turn distribute information-stealing malware.

In 2024, a similar campaign called ClickFix emerged, displaying fake software error messages that claim to offer fixes. However, these supposed "fixes" are, in fact, PowerShell scripts designed to download and install malware once executed.

Last week, GoDaddy revealed that the ClearFake/ClickFix threat actors have successfully breached over 6,000 WordPress websites, installing rogue plugins that trigger these fake alerts.

GoDaddy security researcher Denis Sinegubko said: "The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins,"

"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."

The rogue plugins adopt names that closely resemble legitimate ones, such as Wordfence Security and LiteSpeed Cache, while others use more generic, fabricated titles.

Website security firm Sucuri has identified a fake plugin named "Universal Popup Plugin" as part of this malicious campaign. Once installed, the plugin exploits various WordPress actions, depending on the variant, to inject malicious JavaScript into the website’s HTML. This script then attempts to load another malicious JavaScript file stored within a Binance Smart Chain (BSC) smart contract, which delivers the ClearFake or ClickFix script to display the fraudulent update banners.

From web server access logs analysed by Sinegubko, it appears the attackers are using stolen administrative credentials to log into the WordPress sites and install the malicious plugins through an automated process.

 

Last modified on 23 October 2024
Rate this item
(0 votes)

Read more about: