Hackers are exploiting outdated variations of WordPress and plug-ins to change 1000’s of internet sites in an try and trick guests to obtain and set up malware, security researchers have discovered.
The hacking marketing campaign remains to be “very a lot stay,” Simon Wijckmans, the founder and CEO of internet security firm c/aspect, which found the assaults, informed information.killnetswitch on Tuesday.
The hackers’ objective is to unfold malware able to stealing passwords and different private info from each Home windows and Mac customers. Among the hacked web sites are ranked among the many hottest websites on the web, in line with c/aspect.
“This can be a widespread and really commercialized assault,” Himanshu Anand, who wrote up the corporate’s findings, informed information.killnetswitch. Anand mentioned the marketing campaign is a “spray and pay” assault that goals to compromise anybody who visits these web sites relatively than focusing on a particular particular person or group of individuals.
When the hacked WordPress websites load in a person’s browser, the content material shortly modifications to show a pretend Chrome browser replace web page, requesting the web site customer obtain and set up an replace with a view to view the web site, the researchers discovered. If a customer accepts the replace, the hacked web site will immediate the customer to obtain a particular malicious file masquerading because the replace, relying on whether or not the customer is on a Home windows PC or a Mac.
Wijckmans mentioned that they alerted Automattic, the corporate that develops and distributes WordPress, concerning the hacking marketing campaign and despatched them the checklist of malicious domains, and that their contact on the firm acknowledged receipt of their e mail.
When reached by information.killnetswitch previous to publication, Megan Fox, a spokesperson for Automattic, didn’t remark.
C/aspect mentioned it recognized over 10,000 web sites that seem to have been compromised as a part of this hacking marketing campaign. Wijckmans mentioned the corporate detected malicious scripts on a number of domains by crawling the web, and performing a reverse DNS lookup, a way to seek out domains and web sites related to a sure IP deal with, which revealed extra domains internet hosting the malicious scripts.
information.killnetswitch couldn’t affirm the accuracy of c/aspect’s figures, however we noticed one hacked WordPress web site that was nonetheless displaying the malicious content material on Tuesday.
From WordPress to infostealing malware
The 2 sorts of malware which can be being pushed on the malicious web sites are often called Amos (or Amos Atomic Stealer), which targets macOS customers; and SocGholish, which targets Home windows customers.
In Could 2023, cybersecurity agency SentinelOne revealed a report on Amos, classifying the malware as an infostealer, a sort of malware designed to contaminate computer systems and steal as many usernames and passwords, session cookies, crypto wallets, and different delicate knowledge that enables the hackers to additional break into the sufferer’s accounts and steal their digital forex. Cybersecurity agency Cyble reported on the time that it had discovered that hackers have been promoting entry to the Amos malware on Telegram.
Patrick Wardle, a macOS security professional and co-founder of Apple-focused cybersecurity startup DoubleYou, informed information.killnetswitch that Amos is “definitively probably the most prolific stealer on macOS,” and was created with the malware-as-a-service enterprise mannequin, which means the builders and homeowners of the malware promote it to the hackers who then deploy it.
Wardle additionally famous that for somebody to efficiently set up on macOS the malicious file discovered by c/aspect “the person nonetheless has to then manually run it, and soar by means of a number of hoops to bypass Apple’s built-in security.”
Whereas this will not be probably the most superior hacking marketing campaign, on condition that the hackers depend on their targets to fall for the pretend replace web page after which set up the malware, this can be a good reminder to replace your Chrome browser by means of its in-built software program replace function and to put in solely trusted apps in your private units.
Password-stealing malware and the theft of credentials have been blamed for a few of the greatest hacks and data breaches in historical past. In 2024, hackers mass-raided the accounts of company giants who hosted their delicate knowledge with cloud computing big Snowflake through the use of passwords stolen from the computer systems of workers of Snowflake’s prospects.
