Hackers have targeted thousands of WordPress sites by infecting them with malicious plugins. These plugins are designed to present users with fake messages, such as Chrome alerts, Facebook notifications, Google Meet prompts, or Captcha verification pages, tricking visitors into downloading and installing malware. This attack has affected more than 6,000 WordPress-based sites.
The infection spreads through bogus plugins with names like "Google SEO Enhancer" and "Quick Cache Cleaner," which appear legitimate and attract users looking to optimize their websites.
Some infections result from stolen administrator logins and automated installation tools. Hackers use databases of compromised logins to gain access to WordPress sites. The "ClearFake" system, known since at least 2023, has a new variant called "ClickFix" that is spreading via these malicious plugins.
For WordPress administrators, it is recommended to use strong and unique passwords for administrator accounts and regularly review installed plugins. Regular web users should be cautious of installation messages and warnings that pop up randomly while browsing. Avoid trusting any unsolicited download prompts.
Commentary
WordPress is considered the world's most popular website builder, powering more than 43 percent of all websites around the globe. This immense popularity makes it an attractive target for hackers because they can potentially exploit a large number of sites.
Additionally, WordPress's modular platform, which allows for extensive customization through themes and plugins, can introduce vulnerabilities if not properly managed. Common issues such as insecure web hosting, weak passwords, and unprotected access to the WordPress admin area can make these sites easier targets for attacks.
The ClickFix variant is a new evolution in malware attacks, leveraging social engineering tactics to deceive users into executing malicious code.
The ClickFix attack typically begins with deceptive pop-ups on compromised or malicious websites, displaying fake error messages that claim urgent issues with software. These messages often instruct users to copy a command to their clipboard and execute it via PowerShell or Command Prompt, thus downloading malicious software.
One notable ClickFix attack involves a malicious VBScript hosted on dubious web pages, masquerading as legitimate error fixes. The script performs actions such as terminating active mshta.exe processes, downloading and executing two executables (stealc.exe and ram.exe), and reporting execution success back to the attacker. The initial executable, stealc.exe, is designed to gather sensitive data from the user's system, including browser information and cryptocurrency wallet details, and send this data to the attacker's Command and Control (C2) server. The C2 server often remains undetected by security vendors, making it a persistent threat.
The final takeaway is that the ClickFix threat underscores the necessity for robust cybersecurity practices and continuous user awareness training to combat emerging threats effectively.
Source: https://www.pcworld.com/article/2497450/hackers-infect-thousands-of-wordpress-sites-with-malware-plugins.html; https://www.wpbeginner.com/beginners-guide/reasons-why-wordpress-site-gets-hacked/; and https://mojoauth.com/blog/malware-deployed-via-new-clickfix-attack-variant/
