Thousands of WordPress websites hacked via plugin looking to steal user data

Hackers found installing malicious plugins on already compromised WordPress sites

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A new variant of the infamous ClearFake (AKA ClickFix)malwarehas been detected in the wild, and has already managed to compromise thousands of WordPresswebsite buildersites.

Researchers from GoDaddy claim to have spotted a variant of this campaign, which installs malicious plugins. The threat actors would use the credentials stolen elsewhere (or bought on the black market) to log into the website’s WordPress admin account, and install a seemingly benign plugin.

The victims are then enticed to download an update, which is just a piece of malware that steals sensitive data, or does something else but equally sinister.

Thousands of compromised websites

In turn, the plugin displays the various popups, requesting the victims do different actions (all of which lead to the installation of infostealers).

The entire process is automated and so far more than 6,000 WordPress websites have fallen prey.

“These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users,” the researchers are saying. The plugins are “seemingly legitimate” as they carry household names in the WordPress world, such as Wordfense Security, or LiteSpeed Cache.

Here is the full list of the plugins spotted so far:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

LiteSpeed Cache ClassicMonsterInsights ClassicWordfence Security ClassicSearch Rank EnhancerSEOBooster ProGoogle SEO EnhancerRank Booster ProAdmin Bar CustomizerAdvanced User ManagerAdvanced Widget ManageContent BlockerUniversal Popup Plugin

ClearFake is a type of malware attack we’ve all seen in the past - a website is compromised and used to display a fake popup notification. This notification usually mimics an antivirus warning, or a browser notification, and informs the user that their computer is either infected with a virus, or outdated and therefore unable to display the desired website.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics