News: 0175299353

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Over 6,000 WordPress Hacked To Install Plugins Pushing Infostealers (bleepingcomputer.com)

(Tuesday October 22, 2024 @11:22AM (BeauHD) from the PSA dept.)


WordPress sites are [1]being compromised through malicious plugins that display fake software updates and error messages, leading to the installation of information-stealing malware. BleepingComputer reports:

> Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware. In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.

>

> Last week, GoDaddy [2]reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns. "The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."

>

> The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names. Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign. When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site. When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners. From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.



[1] https://www.bleepingcomputer.com/news/security/over-6-000-wordpress-hacked-to-install-plugins-pushing-infostealers/

[2] https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials



Wordpress is a massive security risk... (Score:5, Informative)

by SpzToid ( 869795 )

Wordpress is a massive security risk/vector that serves cross functional purposes as a Content Management System (CMS). Just like how Microsoft Outlook, (nay Teams!), also does email.

Re: (Score:2)

by Miles_O'Toole ( 5152533 )

Two organizations I have absolutely no choice about working with use Teams. I've done what I can to protect myself, but I believe it's just a matter of time before one or both of them fall victim to some kind of hack. I only hope they don't drag me down with them.

Re: (Score:3)

by drinkypoo ( 153816 )

We use it at work but we don't put any confidential data into it.

That way, when it inevitably gets compromised, no problem.

It certainly does suck, though. My favorite thing is when it gets disconnected but doesn't tell you. This never happens with the web version but often does with the standalone. It happened more in v1 than it does in v2, but it still happens.

Re: (Score:2)

by coofercat ( 719737 )

Wordpress used to be terrible, but more recently (like maybe 10 years or so) it's almost always "bad plugins" that are the problem, and not the core or the main "decent" plugins. Everyone's got bugs, but as I say, *mostly* it's the lesser used plugins that have the issues.

Either way, 6000 sites could probably be just one hosting provider - it's probably one cheapo provider who thought it would be good to pre-install something or other for their users. Or maybe they're even managed sites, and the end custome

Re:Wordpress is a massive security risk... (Score:5, Informative)

by drinkypoo ( 153816 )

> Wordpress used to be terrible, but more recently (like maybe 10 years or so) it's almost always "bad plugins" that are the problem, and not the core or the main "decent" plugins.

Step one: Go here [1]https://patchstack.com/databas... [patchstack.com]

Step two: Click the menu that says "Everything Wordpress" and change it to "Wordpress core"

Step three: Enjoy the list of XSS vulnerabilities in core which occurred this year.

[1] https://patchstack.com/database/

The cancer of the internet (Score:2)

by bleedingobvious ( 6265230 )

That would be WP, its filthy plugins and all those WP "developers" clogging the net with their particular brand of insecure garbage.

The meltdown going on right now is proving to be immensley entertaining.

Re: (Score:2)

by laughingskeptic ( 1004414 )

What is a bigger cancer: WordPress or Facebook? Because in one PoV, WordPress is the primary tool for self-produced web content that is not Facebook. If WordPress dies, then a lot of what is on WordPress sites today will next be only found on Facebook.

OMG, 0.00000001% of ... (Score:2)

by Qbertino ( 265505 )

... WPs installbase compromised by some shitty plugin installed by people who shouldn't be let near a keyboard let alone a WP admin account. We're all gonna die!

Once again the exploit was caught a few hours in and no harm was done to anyone who knows what he's doing with his WP setups.

Nothing to see here, move along.

Re: (Score:2)

by znrt ( 2424692 )

> ... and no harm was done to anyone who knows what he's doing with his WP setups.

would that be 0.00000001% of that 0.00000001% compromised userbase (by these particular plugins)? i always wondered why people who knew what they were doing used wordpress and its plugins in the first place.

anyway, the average wordpress site i've seen usually shows years of abandon and a spam overgrowth in the comments section.

Re: (Score:2)

by Slyfox696 ( 2432554 )

> i always wondered why people who knew what they were doing used wordpress and its plugins in the first place

Ease of use. Not everyone has the time, even if they have the knowledge, to build numerous websites and customize them to their specific use cases. But, more often than not, if you have a need for a website, there is a Wordpress plugin out there which can do what you need.

I currently manage Wordpress sites which serve as activity information websites, office inventories, help desks, knowledgebases for employees, etc, all of which are hosted locally. It is far easier to download and install Wordpress and a f

Re: (Score:3)

by bleedingobvious ( 6265230 )

> powers

Infects

Who are these people? (Score:3)

by iAmWaySmarterThanYou ( 10095012 )

My 80+ year old mom knows better than to install or click on random shit. She won't even click on legitimate things she doesn't recognize.

Who are these people installing random ass plugins and who are these users running random crap on their PC from stupid pop ups?

It's mind boggling. Maybe it's better all these people get fucked computers and just leave the net.

Re: (Score:1)

by diffract ( 7165501 )

Well, most businesses had to move their stores online because you know, everything has to be on the internet these days. People running the businesses aren't tech-savvy, that's why they are using WordPress. And the general consensus is you have to keep your WordPress updated at all times to avoid security vulnerabilities. The owners will update the moment they see such message.

Oblig (Score:4, Funny)

by Barny ( 103770 )

[1]Obligatory xkcd [xkcd.com]

[1] https://xkcd.com/350/

Re: (Score:3)

by Forty Two Tenfold ( 1134125 )

And nothing of value was lost.

so... (Score:1, Funny)

by prof_robinson ( 2632705 )

...nothing new, then

WP Crowdstrike (Score:3)

by Spinlock_1977 ( 777598 )

Crowdstrike took down a zillion machines by pushing a bad update. That happened because Microsoft provided access to a Windows API that Crowdstrike and other similar tools use that can take down the OS. WP Plugins suffer from the same general problem: The plugin API isn't secure enough. It's time for a new plugin interface designed for security. It's either that, or WP fades and eventually dies.

malpractice, n.:
The reason surgeons wear masks.