Hackers are currently abusing outdated WordPress versions and plugins to trick visitors to thousands of websites into downloading and installing malware. Belgian security specialist C/side warns of this.
According to security experts, thousands of websites are currently under attack, and hackers are trying to hijack them to spread malware that visitors might download and install. Websites running outdated versions of the popular WordPress software and/or using outdated plugins are especially targets.
Plan of attack
When a hacked WordPress website loads in a user’s browser, the content quickly displays a fake Chrome update page. This page asks the user to download and install a browser update to visit the website.
When a user performs this update, the website requests the download of a specific malicious file masquerading as the update. This depends on whether a Windows PC or a Mac is being used.
The malware explicitly distributed involves the SocGholish malware, which targets Windows users, and the Amos (Amos Atomic Stealer) malware for macOS users. Both malware variants are info stealers and focus on stealing usernames, passwords, session cookies, crypto wallets and other sensitive data, among other things.
Thousands of websites compromised
C/side claims that more than 10,000 websites, including some very well-known ones, have been compromised. The Belgian security specialist indicates that the malware campaign is large in scale and is a so-called “spray and pray” attack. This means that everyone who visits the malicious websites is a target rather than a specific group of end users.
The researchers discovered the malicious scripts on various domains by “crawling” the Internet. They then performed a reverse DNS lookup to find domains associated with a particular IP address, discovering many more domains infected with the malicious scripts.
The security specialist notified WordPress owner Automattic of the malware campaign and handed over a list of affected websites. The WordPress owner reportedly acknowledged receipt.
Also read: Millions of websites vulnerable due to cache plugin