Hackers are exploiting outdated variations of WordPress and plug-ins to change hundreds of internet sites in an try to trick guests to obtain and set up malware, safety researchers have discovered.
The hacking marketing campaign remains to be “very a lot stay,” Simon Wijckmans, the founder and CEO of internet safety firm c/facet, which found the assaults, advised TechCrunch on Tuesday.
The hackers’ objective is to unfold malware able to stealing passwords and different private info from each Home windows and Mac customers. A number of the hacked web sites are ranked among the many hottest websites on the web, in keeping with c/facet.
“It is a widespread and really commercialized assault,” Himanshu Anand, who wrote up the company’s findings, advised TechCrunch. Anand stated the marketing campaign is a “spray and pay” assault that goals to compromise anybody who visits these web sites quite than concentrating on a particular individual or group of individuals.
When the hacked WordPress websites load in a consumer’s browser, the content material shortly modifications to show a pretend Chrome browser replace web page, requesting the web site customer obtain and set up an replace with the intention to view the web site, the researchers discovered. If a customer accepts the replace, the hacked web site will immediate the customer to obtain a particular malicious file masquerading because the replace, relying on whether or not the customer is on a Home windows PC or a Mac.
Wijckmans stated that they alerted Automattic, the corporate that develops and distributes WordPress, concerning the hacking marketing campaign and despatched them the record of malicious domains, and that their contact on the firm acknowledged receipt of their e-mail.
When reached by TechCrunch previous to publication, Megan Fox, a spokesperson for Automattic, didn’t remark.
C/facet stated it recognized over 10,000 web sites that seem to have been compromised as a part of this hacking marketing campaign. Wijckmans stated the corporate detected malicious scripts on a number of domains by crawling the web, and performing a reverse DNS lookup, a method to search out domains and web sites related to a sure IP tackle, which revealed extra domains internet hosting the malicious scripts.
TechCrunch couldn’t verify the accuracy of c/facet’s figures, however we noticed one hacked WordPress web site that was nonetheless displaying the malicious content material on Tuesday.
From WordPress to infostealing malware
The 2 kinds of malware which might be being pushed on the malicious web sites are generally known as Amos (or Amos Atomic Stealer), which targets macOS customers; and SocGholish, which targets Home windows customers.
In Might 2023, cybersecurity agency SentinelOne published a report on Amos, classifying the malware as an infostealer, a sort of malware designed to contaminate computer systems and steal as many usernames and passwords, session cookies, crypto wallets, and different delicate knowledge that permits the hackers to additional break into the sufferer’s accounts and steal their digital forex. Cybersecurity firm Cyble reported on the time that it had discovered that hackers had been promoting entry to the Amos malware on Telegram.
Patrick Wardle, a macOS safety knowledgeable and co-founder of Apple-focused cybersecurity startup DoubleYou, advised TechCrunch that Amos is “definitively essentially the most prolific stealer on macOS,” and was created with the malware-as-a-service enterprise mannequin, which means the builders and house owners of the malware promote it to the hackers who then deploy it.
Wardle additionally famous that for somebody to efficiently set up on macOS the malicious file discovered by c/facet “the consumer nonetheless has to then manually run it, and soar by quite a lot of hoops to bypass Apple’s built-in safety.”
Whereas this is probably not essentially the most superior hacking marketing campaign, provided that the hackers depend on their targets to fall for the pretend replace web page after which set up the malware, it is a good reminder to replace your Chrome browser through its in-built software update feature and to put in solely trusted apps in your private gadgets.
Password-stealing malware and the theft of credentials have been blamed for among the largest hacks and knowledge breaches in historical past. In 2024, hackers mass-raided the accounts of company giants who hosted their delicate knowledge with cloud computing large Snowflake through the use of passwords stolen from the computer systems of staff of Snowflake’s prospects.