Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy

Over 6,000 WordPress Hacked To Install Plugins Pushing Infostealers (bleepingcomputer.com) 32

WordPress sites are being compromised through malicious plugins that display fake software updates and error messages, leading to the installation of information-stealing malware. BleepingComputer reports: Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware. In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.

Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns. "The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."

The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names. Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign. When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site. When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners. From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.

This discussion has been archived. No new comments can be posted.

Over 6,000 WordPress Hacked To Install Plugins Pushing Infostealers

Comments Filter:
  • by SpzToid ( 869795 ) on Tuesday October 22, 2024 @05:15AM (#64883531)

    Wordpress is a massive security risk/vector that serves cross functional purposes as a Content Management System (CMS). Just like how Microsoft Outlook, (nay Teams!), also does email.

    • Two organizations I have absolutely no choice about working with use Teams. I've done what I can to protect myself, but I believe it's just a matter of time before one or both of them fall victim to some kind of hack. I only hope they don't drag me down with them.

      • We use it at work but we don't put any confidential data into it.

        That way, when it inevitably gets compromised, no problem.

        It certainly does suck, though. My favorite thing is when it gets disconnected but doesn't tell you. This never happens with the web version but often does with the standalone. It happened more in v1 than it does in v2, but it still happens.

        • Agreed. My concern isn't so much with my own security practices, but the people I have to deal with are appalling. I have reserved one machine, which is as isolated as I can manage, just for them. My router is a good one, and I patch and back up regularly. Basically, there's no low-hanging fruit, and I'm not important enough to warrant a lot of time and effort. My hope is that if either of these groups gets hit, any damage will be confined to the one expendable computer.

    • Wordpress used to be terrible, but more recently (like maybe 10 years or so) it's almost always "bad plugins" that are the problem, and not the core or the main "decent" plugins. Everyone's got bugs, but as I say, *mostly* it's the lesser used plugins that have the issues.

      Either way, 6000 sites could probably be just one hosting provider - it's probably one cheapo provider who thought it would be good to pre-install something or other for their users. Or maybe they're even managed sites, and the end custome

  • That would be WP, its filthy plugins and all those WP "developers" clogging the net with their particular brand of insecure garbage.

    The meltdown going on right now is proving to be immensley entertaining.

    • What is a bigger cancer: WordPress or Facebook? Because in one PoV, WordPress is the primary tool for self-produced web content that is not Facebook. If WordPress dies, then a lot of what is on WordPress sites today will next be only found on Facebook.
      • a lot of what is on WordPress sites today will next be only found on Facebook.

        This is the modern-day equivalent of bemoaning the death of geocities

        We will survive.

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Tuesday October 22, 2024 @06:12AM (#64883589)

    ... WPs installbase compromised by some shitty plugin installed by people who shouldn't be let near a keyboard let alone a WP admin account. We're all gonna die!

    Once again the exploit was caught a few hours in and no harm was done to anyone who knows what he's doing with his WP setups.

    Nothing to see here, move along.

    • by znrt ( 2424692 )

      ... and no harm was done to anyone who knows what he's doing with his WP setups.

      would that be 0.00000001% of that 0.00000001% compromised userbase (by these particular plugins)? i always wondered why people who knew what they were doing used wordpress and its plugins in the first place.

      anyway, the average wordpress site i've seen usually shows years of abandon and a spam overgrowth in the comments section.

      • i always wondered why people who knew what they were doing used wordpress and its plugins in the first place

        Ease of use. Not everyone has the time, even if they have the knowledge, to build numerous websites and customize them to their specific use cases. But, more often than not, if you have a need for a website, there is a Wordpress plugin out there which can do what you need.

        I currently manage Wordpress sites which serve as activity information websites, office inventories, help desks, knowledgebases for employees, etc, all of which are hosted locally. It is far easier to download and install Wordpress and a f

  • by iAmWaySmarterThanYou ( 10095012 ) on Tuesday October 22, 2024 @06:38AM (#64883645)

    My 80+ year old mom knows better than to install or click on random shit. She won't even click on legitimate things she doesn't recognize.

    Who are these people installing random ass plugins and who are these users running random crap on their PC from stupid pop ups?

    It's mind boggling. Maybe it's better all these people get fucked computers and just leave the net.

    • Well, most businesses had to move their stores online because you know, everything has to be on the internet these days. People running the businesses aren't tech-savvy, that's why they are using WordPress. And the general consensus is you have to keep your WordPress updated at all times to avoid security vulnerabilities. The owners will update the moment they see such message.
    • by antdude ( 79039 )

      We need Interneter licenses. /s

  • Oblig (Score:4, Funny)

    by Barny ( 103770 ) on Tuesday October 22, 2024 @07:41AM (#64883733) Journal

    Obligatory xkcd [xkcd.com]

  • so... (Score:1, Funny)

    ...nothing new, then
  • by Spinlock_1977 ( 777598 ) <Spinlock_1977.yahoo@com> on Tuesday October 22, 2024 @09:16AM (#64883951) Journal

    Crowdstrike took down a zillion machines by pushing a bad update. That happened because Microsoft provided access to a Windows API that Crowdstrike and other similar tools use that can take down the OS. WP Plugins suffer from the same general problem: The plugin API isn't secure enough. It's time for a new plugin interface designed for security. It's either that, or WP fades and eventually dies.

  • Stick it up your.... (effectively)

    Everyone really needs to migrate away from the curse. The creator of WP seems to want you to.

A sheet of paper is an ink-lined plane. -- Willard Espy, "An Almanac of Words at Play"

Working...