Thousands of WordPress websites have been hacked to spread malware via fake updates

Threat actors have launched a campaign in which they hack WordPress websites using stolen login credentials and installing malicious plugins. Over 6,000 WordPress websites have already been targeted.
The GoDaddy Security Team has discovered a new variant of the ClickFix fake browser update that spreads malware via bogus WordPress plugins.
“These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users,” security researchers say.
These campaigns are initiated by threat actors by logging into websites with stolen but legitimate login information.
Next, they install fake WordPress plugins. To gain the trust of end-users, threat actors use the names of popular and legitimate plugins, such as Wordfense Security and LiteSpeed Cache. Others utilize generic, made-up names like Advanced User Manager or Quick Cache Cleaner. To throw off administrators, all information in the plugin metadata is fake, although, at first glance, it looks legit.
The bogus plugins inject a malicious JavaScript that shows users a prompt containing a fake browser update notification. The goal is to persuade users to install malware on their computers, including infostealers like Vidar Stealer and Lumma Stealer.
An infostealer is malicious software that is developed to steal login credentials for online banking and crypto wallets, but also login information from a wider range of programs, like WordPress or dashboards like cPanel.
This campaign was first observed in August 2023. Back then, it was called ClearFake. The most recent variant is dubbed ClearFix and was first discovered in June 2024. Over 6,000 WordPress websites to date have been hacked to spread infostealing malware.
How threat actors were able to obtain login credentials remains unclear. The researchers note it could be through previous brute force attacks, phishing campaigns or infostealing malware.
If you’re a WordPress administrator and are receiving reports of fake alerts, you should carefully go through the list of installed plugins and remove any that you didn’t install yourself. In addition, you should change your password, as it may have been compromised.
Your email address will not be published. Required fields are marked