WordPress Site Hacking: Malware Threat to Windows & Mac

Widespread Website Hacking Campaign Targets WordPress Users

Security researchers have discovered a large-scale operation where malicious actors are exploiting vulnerabilities in outdated WordPress installations and plug-ins. This exploitation results in alterations to thousands of websites.

Malware Distribution Through Deceptive Updates

The primary objective of these hackers is to distribute malware. This malware is designed to compromise systems and steal sensitive data, including passwords and other personal information, from both Windows and Mac operating systems.

According to c/side, the web security firm that initially uncovered the attacks, the campaign remains active. Simon Wijckmans, c/side’s founder and CEO, confirmed this to TechCrunch on Tuesday.

A "Spray and Pray" Approach

This hacking campaign isn't focused on specific individuals or organizations. Himanshu Anand, the researcher who documented c/side’s findings, described it as a “spray and pray” attack. The goal is to compromise any visitor to the affected websites.

The method involves a deceptive redirection. When a user accesses a compromised WordPress site, the content dynamically changes.

Fake Chrome Update Page

Visitors are presented with a fraudulent Chrome browser update page. This page urges them to download and install an update to continue viewing the website. Accepting this prompt initiates the download of a malicious file.

The specific malicious file offered is tailored to the visitor’s operating system – either Windows or Mac – disguising itself as a legitimate update.

WordPress Developers Notified

c/side promptly notified Automattic, the company behind WordPress.com, about the ongoing hacking campaign. They also provided a list of malicious domains associated with the attacks.

Automattic acknowledged receipt of the information. However, a spokesperson initially declined to comment.

Responsibility for Plugin Security

Following publication, Automattic clarified that the security of third-party plug-ins is ultimately the responsibility of the plug-in developers themselves.

The company emphasized the existence of specific guidelines and a comprehensive Plugin Handbook. These resources are designed to help developers maintain the quality and security of their plug-ins.

Scale of the Compromise

c/side has identified over 10,000 websites believed to be compromised as part of this operation. The discovery was made through internet crawling and reverse DNS lookups.

Reverse DNS lookups helped identify additional domains hosting the malicious scripts.

Verification and Ongoing Threat

While TechCrunch couldn’t independently verify c/side’s exact figures, they confirmed that at least one hacked WordPress website was still actively displaying the malicious content on Tuesday.

This indicates the campaign is ongoing and poses a continued threat to internet users.

Malicious Software Distribution Originating from WordPress

Two distinct malware variants are currently being disseminated through compromised websites: Amos (also referred to as Amos Atomic Stealer), specifically designed for macOS operating systems, and SocGholish, targeting Windows users.

Cybersecurity specialists at SentinelOne released a detailed report in May 2023 concerning Amos. This report categorized the software as an infostealer – a malicious program engineered to compromise systems and extract a wide range of sensitive information. This includes usernames, passwords, session cookies, cryptocurrency wallet details, and other data crucial for unauthorized access to victim accounts and digital assets.

Cyble, another cybersecurity firm, concurrently reported the availability of Amos malware access for sale on the Telegram messaging platform.

Patrick Wardle, a recognized authority on macOS security and co-founder of DoubleYou, a cybersecurity company specializing in Apple products, indicated to TechCrunch that Amos is “unequivocally the most widespread stealer affecting macOS.” It operates under a malware-as-a-service model, where the original developers offer the malware to other malicious actors for deployment.

Wardle further explained that successful installation of the malicious file identified by c/side on a macOS system requires the user to actively execute it. Moreover, bypassing Apple's integrated security measures necessitates navigating a complex series of steps.

Although this campaign may not represent the pinnacle of sophisticated hacking techniques, relying on users to interact with deceptive update pages and subsequently install the malware serves as a crucial reminder. Users should consistently update their Chrome browser utilizing its built-in update functionality and only install applications from trusted sources.

The compromise of credentials through password-stealing malware has been implicated in numerous large-scale hacks and data breaches throughout history.

For example, in 2024, attackers exploited stolen passwords from employees of Snowflake customers to gain widespread access to accounts hosted by the cloud computing provider, Snowflake.