Hackers are exploiting outdated variations of WordPress and plugins to change hundreds of internet sites in an try to trick guests to obtain and set up malware, safety researchers have discovered.
The hacking marketing campaign remains to be “very a lot reside,” Simon Wijckmans, the founder and CEO of net safety firm c/facet, which found the assaults, instructed TechCrunch on Tuesday.
The hackers’ objective is to unfold malware able to stealing passwords and different private info from each Windows and Mac customers. Some of the hacked web sites are ranked among the many hottest websites on the web, in accordance with c/facet.
“This is a widespread and really commercialized assault,” Himanshu Anand, who wrote up the corporate’s findings, instructed TechCrunch. Anand stated the marketing campaign is a “spray and pay” assault that goals to compromise anybody who visits these web sites somewhat than focusing on a selected particular person or group of individuals.
When the hacked WordPress websites load in a consumer’s browser, the content material rapidly modifications to show a pretend Chrome browser replace web page, requesting the web site customer obtain and set up an replace so as to view the web site, the researchers discovered. If a customer accepts the replace, the hacked web site will immediate the customer to obtain a selected malicious file masquerading because the replace, relying on whether or not the customer is on a Windows PC or a Mac.
Wijckmans stated that they alerted Automattic, the corporate that develops and distributes WordPress, concerning the hacking marketing campaign and despatched them the checklist of malicious domains, and that their contact on the firm acknowledged receipt of their electronic mail.
When reached by TechCrunch previous to publication, Megan Fox, a spokesperson for Automattic, didn’t remark.
C/facet stated it recognized over 10,000 web sites that seem to have been compromised as a part of this hacking marketing campaign. Wijckmans stated the corporate detected malicious scripts on a number of domains by crawling the web, and performing a reverse DNS lookup, a way to search out domains and web sites related to a sure IP deal with, which revealed extra domains internet hosting the malicious scripts.
TechCrunch couldn’t verify the accuracy of c/facet’s figures, however we noticed one hacked WordPress web site that was nonetheless displaying the malicious content material on Tuesday.
From WordPress to infostealing malware
The two sorts of malware which are being pushed on the malicious web sites are referred to as Amos (or Amos Atomic Stealer), which targets macOS customers; and SocGholish, which targets Windows customers.
In May 2023, cybersecurity agency SentinelOne printed a report on Amos, classifying the malware as an infostealer, a sort of malware designed to contaminate computer systems and steal as many usernames and passwords, session cookies, crypto wallets, and different delicate knowledge that permits the hackers to additional break into the sufferer’s accounts and steal their digital foreign money. Cybersecurity agency Cyble reported on the time that it had discovered that hackers had been promoting entry to the Amos malware on Telegram.
Patrick Wardle, a macOS safety knowledgeable and co-founder of Apple-focused cybersecurity startup DoubleYou, instructed TechCrunch that Amos is “definitively probably the most prolific stealer on macOS,” and was created with the malware-as-a-service enterprise mannequin, which means the builders and homeowners of the malware promote it to the hackers who then deploy it.
Wardle additionally famous that for somebody to efficiently set up on macOS the malicious file discovered by c/facet “the consumer nonetheless has to then manually run it, and bounce by means of loads of hoops to bypass Apple’s built-in safety.”
While this will not be probably the most superior hacking marketing campaign, provided that the hackers depend on their targets to fall for the pretend replace web page after which set up the malware, it is a good reminder to replace your Chrome browser by means of its in-built software program replace function and to put in solely trusted apps in your private gadgets.
Password-stealing malware and the theft of credentials have been blamed for among the largest hacks and knowledge breaches in historical past. In 2024, hackers mass-raided the accounts of company giants who hosted their delicate knowledge with cloud computing big Snowflake by utilizing passwords stolen from the computer systems of staff of Snowflake’s prospects.
