Security researchers have discovered that hackers are taking advantage of outdated WordPress versions and plugins to compromise thousands of websites, aiming to deceive users into downloading and installing malicious software.
According to Simon Wijckmans, CEO of the web security firm c/side, the hacking operation is currently “very much ongoing,” as he shared with TechCrunch on Tuesday.
The hackers’ objective is to disseminate malware that can steal passwords and sensitive information from users on both Windows and Mac platforms. Some of the compromised websites rank among the most frequented on the internet, according to findings from c/side.
Himanshu Anand, who documented the company’s findings, indicated to TechCrunch that this operation represents a “broad and highly commercialized attack.” He described the campaign as a “spray and pray” strategy, targeting anyone visiting the compromised sites rather than specific individuals or groups.
When these hacked WordPress sites are accessed, the page content swiftly transforms into a fake Chrome browser update page, misleading users into downloading and installing an update to view the site, according to the researchers. Should a user agree to the update, they will be prompted to download a malicious file disguised as the update, tailored for either Windows or Mac users.
Wijckmans informed that they have notified Automattic, the organization responsible for WordPress.com, regarding the hacking activities and provided a list of the malicious domains they identified. Their contact at Automattic has confirmed receipt of their communication.
In response to TechCrunch’s inquiry before publication, Megan Fox, a spokesperson for Automattic, had no comments. After the article was published, Automattic stated that the security of third-party plugins ultimately lies in the hands of the plugin developers.
“Plugin authors must follow specific guidelines to maintain the overall quality and user safety of their plugins. Additionally, they can refer to the Plugin Handbook, which addresses various security topics, including best practices and managing plugin security,” the spokesperson elaborated.
C/side reported identifying over 10,000 websites that seem to have been compromised due to this hacking initiative. Wijckmans noted that they detected malicious scripts across several domains via internet crawling and reverse DNS lookups, a technique used to identify domains linked to particular IP addresses, uncovering more sites serving the harmful scripts.
While TechCrunch could not verify the accuracy of c/side’s statistics, they did observe one hacked WordPress site still displaying malicious content on Tuesday.
Transitioning from WordPress to Data-Stealing Malware
The two malware strains being distributed through these compromised websites are known as Amos (or Amos Atomic Stealer), aimed at macOS users, and SocGholish, which specifically targets Windows users.
In May 2023, the cybersecurity firm SentinelOne released a report detailing Amos, categorizing it as an infostealer designed to infiltrate computers and harvest usernames, passwords, session cookies, crypto wallets, and other sensitive data that enable hackers to gain unauthorized access to victims’ accounts and steal their digital assets. Cybersecurity firm Cyble reported that hackers were marketing access to the Amos malware on Telegram at that time.
Patrick Wardle, a macOS security specialist and co-founder of the Apple-focused cybersecurity firm DoubleYou, informed TechCrunch that Amos is “undoubtedly the most widespread stealer on macOS,” built upon a malware-as-a-service model, where developers and owners sell it to hackers who then employ it.
Wardle also pointed out that in order for users to install the malicious file found by c/side on their macOS, “they must manually run it and bypass multiple security measures instituted by Apple.”
Although this hacking campaign may not be the most sophisticated, dependent on users falling for the counterfeit update page and installing the malware, it serves as a crucial reminder to regularly update your Chrome browser using its built-in update feature and to only install trusted applications on personal devices.
Malware that steals passwords and credentials has been implicated in numerous significant hacks and data breaches throughout history. In 2024, hackers executed mass raids on corporate accounts hosting sensitive data with cloud provider Snowflake, utilizing passwords pilfered from employees of Snowflake’s clients.
This article was updated to incorporate comments from Automattic’s spokesperson.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
