marry 23.10.2024, 13:00 PM
More than 6,000 WordPress sites have been hacked and attackers have installed malicious plugins that display fake browser update notifications, he warned. GoDaddy.
“The GoDaddy Security team is monitoring a new variant of ClickFix (also known as ClearFake) malware that is being distributed via fake WordPress plugins,” said GoDaddy security researcher Denis Sinegubko.
Since 2023, a campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware. More than 25,000 sites were compromised in this campaign.
In 2024, a new campaign called ClickFix was spotted that has many similarities to ClearFake, but instead of a web browser update banner, victims are shown a software bug message offering fixes. However, these “patches” are scripts that, when executed, will download and install information-stealing malware.
ClickFix campaigns have become more common this year, with hackers compromising sites that then display banners displaying fake error messages for Google Chrome, Google Meet, Facebook, and even captcha pages.
The information-stealing malware delivered to the victims of these attacks is a big problem because the passwords stolen by such malware are used for new attacks and data theft.
Regarding the campaign that GoDaddy warned about, “seemingly legitimate WordPress plugins are designed to appear harmless to website administrators, but contain embedded malicious scripts that deliver fake browser update prompts to end users.”
This technique uses social engineering strategies to trick users into running malicious code, thus compromising their systems with various types of malware and information stealers.
Fake plugins use names similar to legitimate WordPress plugins, such as Wordfense Security and LiteSpeed Cache, or generic, fictitious names.
Hackers use stolen administrator passwords to log into a WordPress site and install a JavaScript-injecting plugin that shows users fake web browser update notifications that lead victims to install malware on their computers. These are usually remote access trojans or info stealers such as Vidar or Lumma.
It’s unclear how the attackers obtained the passwords, but they could be passwords stolen in previous brute force attacks, phishing attacks, and information-stealing malware.
If you are using WordPress and have a problem with false warnings being displayed to visitors, you should immediately review the list of installed plugins and remove any that you did not install yourself. If you find any unknown plugins, you should immediately reset all admin passwords.
Photo: WebFactory Ltd | Unsplash
Source: www.informacija.rs
