Hackers are taking advantage of obsolete WordPress and plugin versions to modify thousands of websites in an attempt to induce visitors to download and install malware, they discovered security researchers.
The hacking campaign is still “very live”, Simon Wijckmans, founder and CEO of the C/Side Web Safety Society, who discovered the attacks, told Techcrunch on Tuesday.
The objective of hackers is to spread malware capable of stealing passwords and other personal information from users of Windows and Mac. Some of the hacked websites are classified among the most popular sites on the internet, according to c/side.
“This is a widespread and very marketed attack,” he told Techcrunch Himanshu Anand, who wrote the company discoveries. Anand said that the campaign is an attack of “spray and salary” that aims to compromise anyone who visits these websites rather than targeting a person or a group of specific people.
When the WordPress Hacker sites are uploaded to a user’s browser, the content changes quickly to view a fake Chrome browser update page, requesting the visitor’s visitor download and install an update to view the website, the researchers found . If a visitor accepts the update, the hacked website will push the visitor to download a specific harmful file disguised as updated, depending on whether the visitor is on a Windows or Mac PC.
Wijckmans said he had warned Automotic, the company that develops and distributes WordPress, on the hacking campaign and sent them the list of harmful domains and that their contact at the company recognized the reception of their and -mail.
When it was reached by Techcrunch before the publication, Megan Fox, a spokesman for Automatic, did not comment.
C/Side said he identified over 10,000 websites that seem to have been compromised as part of this hacking campaign. Wijckmans said that the company detected harmful scripts on different domains by crawling on the internet and performing a reverse DNS research, a technique for finding domains and websites associated with a certain IP address, which revealed more domains that host the harmful scripts.
Techcrunch was unable to confirm the accuracy of the C/Side figures, but we saw a hacked WordPress website that has still shown the harmful content on Tuesday.
From WordPress to Malware to Infestaling
The two types of malware that are driven on harmful websites are known as Amos (or Amos Atomic Sterer), which is aimed at macOS users; and Socholish, which is aimed at Windows users.
In May 2023, the Sentinelone computer security company published a report on Amos, classifying the malware as an infostealer, a type of malware designed to infect computers and steal many user names and passwords, session cookies, crypto wallet to further stop the accounts of the victim and steal their digital currency. The Cleble computer security company reported when you have discovered that hackers sell access to Amos malware on Telegram.
Patrick Wardle, Macos security expert and co-founder of the computer security startup focused on Apple Doubleyou, told Techcrunch that Amos is “definitively the most prolific theft on macOS”, and was created with the business malware-as model model -A-Service, which means the developers and owners of the malware sell it to the hackers who distribute it.
Wardle also observed that for someone to successfully install the harmful file found by C/side “the user has yet to perform it manually and jump through many circles to get around Apple’s integrated security.”
Although this may not be the most advanced hacking campaign, since hackers are based on their goals to fall for the false update page and therefore install the malware, this is a good reminder to update the Chrome browser through its function of Integrated software update and install only reliable apps on your personal devices.
Malware that steals password and the theft of credentials have been accused of some of the greatest hacks and violations of the data in history. In 2024, the hackers made the accounts of the corporate giants crazy in series who hosted their sensitive data with the Snowflake cloud computing giant using passwords stolen from the computer of Snowflake’s customers.
