Technology

Hackers Target WordPress Sites to Spread Malware on Windows and Mac

According to security researchers, thousands of websites are being hacked using old versions of WordPress and plugins. The goal is to deceive users into downloading and installing malware.

Web security firm c/side’s founder and CEO, Simon Wijckmans, said Techjuice on Tuesday that the hacking campaign is “very much live.”

The hackers‘ plan involves spreading malware that can steal sensitive information from users of both Mac and Windows computers, including passwords. According to c/side, several hacked websites rank among the most visited on the internet.

“This is a widespread and very commercialized attack,” Himanshu Anand, who put up the company’s findings, told Techjuice. Anand described the campaign as a “spray and pay” assault, meaning that rather than targeting any one individual or organization, it seeks to compromise everyone who accesses these websites.

How does the Attack Work?

The researchers discovered that when a user loads one of the hacked WordPress sites in their browser, the content swiftly changes to show a false Chrome browser update page. The page then requests that the website visitor install the update so they can continue to see the site. Depending on whether the user is using a Windows PC or a Mac, the hacked website will ask the user to download a malicious file posing as the update if the user approves the update.

According to Wijckmans, they notified Automattic—the makers and distributors of WordPress.com—about the hacking campaign and sent them a list of rogue domains. A contact at Automattic confirmed that they had received their email.

Megan Fox, a spokeswoman for Automattic, did not respond when Techjuice contacted her before publishing.

According to C/side, more than 10,000 websites seem to have been infiltrated by this cyberattack. Wijckmans said the company found harmful scripts on several websites by searching the internet and using a method called reverse DNS lookup. This method helps identify websites linked to a specific IP address, uncovering more sites with these harmful scripts.

Although Techjuice was unable to verify the accuracy of c/side’s data, on Tuesday we observed a single compromised WordPress site that continued to display the harmful content.

How WordPress Exploits Lead to Infostealing Malware?

The malicious websites are pushing two forms of malware: Amos (aka Amos Atomic Stealer) for macOS users and SocGholish for Windows users.

Cybersecurity firm SentinelOne released a report on Amos in May 2023. The malware was classified as an infostealer, meaning it infected computers and stole many login credentials, session cookies, cryptocurrency wallets, and other sensitive data. The hackers then used this information to further breach the victim’s accounts and steal their digital currency. During that time, cybersecurity company Cyble announced that it had discovered hackers offering access to the Amos virus on Telegram.

An expert on macOS security and co-founder of the cybersecurity firm DoubleYou, Patrick Wardle, told Techjuice that Amos is “definitively the most prolific stealer on macOS” and was built using the malware-as-a-service model, wherein the creators and owners of the malware sell it to hackers, who subsequently install it.

Regarding the malicious file discovered by c/side, Wardle said that “the user still has to then manually run it, and jump through a lot of hoops to bypass Apple’s built-in security” in order to install it successfully on macOS.

This is just a friendly reminder to always use the most recent version of Chrome by using its built-in software update feature and to only install apps from trusted sources on your personal devices. Hackers depend on their victims falling for the fake update page and installing malware.

Some of the most significant thefts and data breaches in history have been attributed to password-stealing malware and credential theft. In 2024, hackers used passwords obtained from Snowflake’s clients’ laptops to mass-raided the accounts of business titans that stored their critical data.

Sponsored
Huma Ishfaq

Share
Published by
Huma Ishfaq
    Sponsored

Recent Posts

Step-by-Step Guide to Scheduling Instagram Messages on iPhone & Android

Instagram has evolved beyond just a photo-sharing platform, now offering a range of communication features,…

2 hours ago

Nothing Sets Launch Date for Phone (3a) Series, Reveals Camera Design

Nothing has officially announced the launch of its Phone (3a) series, scheduled for March 4,…

2 hours ago

Meta Founder Mark Zuckerberg Sells Shares Worth $14.4 Million

Meta CEO Mark Zuckerberg has recently sold a significant portion of his company shares, capitalizing…

2 hours ago

Pakistan’s Mobile Phone Imports Decline 12.04% in FY 2024-25

ISLAMABAD: Pakistan mobile phone imports totaled $868.551 million in the first seven months (July-January) of…

3 hours ago

Musk Urges Users to Report Grok AI Bugs—Google’s Sundar Pichai Responds

Grok 3 is reportedly delivering a tenfold increase in processing power compared to its predecessor,…

3 hours ago

Government Initiates Special Audit of Education Boards

KARACHI: The Sindh Assembly's Public Accounts Committee (PAC) has raised serious concerns over the financial…

4 hours ago