6,000 WordPress hacked to install plugins pushing infostealers
Hackers are getting into WordPress sites and installing harmful plugins that show false software updates and mistakes to spread malware that steals information.
In the past few years, malware that steals information has become a major problem for security professionals all over the world. This is because stolen passwords are used to break into networks and steal data.
Since 2023, a scam called ClearFake has been using compromised websites to spread malware that steals personal information by showing fake web browser update ads.
For the first time in 2024, a new campaign called ClickFix came out. It is a lot like ClearFake, but it looks like software problem messages with fixes. But these “fixes” are actually PowerShell scripts that, when run, will download and install malware that steals information.
This year, ClickFix campaigns have become more common. Threat actors are breaking into websites to show banners with fake mistakes for Google Chrome, Google Meet conferences, Facebook, and even captcha pages.
Malicious WordPress plugins
Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns.
“The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins,” explains GoDaddy security researcher Denis Sinegubko.
“These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users.”
The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names.
The list of malicious plugins seen in this campaign between June and September 2024 are:
| LiteSpeed Cache Classic | Custom CSS Injector |
| MonsterInsights Classic | Custom Footer Generator |
| Wordfence Security Classic | Custom Login Styler |
| Search Rank Enhancer | Dynamic Sidebar Manager |
| SEO Booster Pro | Easy Themes Manager |
| Google SEO Enhancer | Form Builder Pro |
| Rank Booster Pro | Quick Cache Cleaner |
| Admin Bar Customizer | Responsive Menu Builder |
| Advanced User Manager | SEO Optimizer Pro |
| Advanced Widget Manage | Simple Post Enhancer |
| Content Blocker | Social Media Integrator |
Website security firm Sucuri also noted that a fake plugin named “Universal Popup Plugin” is also part of this campaign.
When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site.
Source: GoDaddy
When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners.
Sinegubko looked at web server access logs and found that the threat actors seem to be using stolen admin credentials to log into the WordPress site and install the plugin automatically.
The threat players log in with a single POST HTTP request instead of going to the site’s login page first, as you can see in the picture below. In this case, it means that it is being done automatically after the passwords have been gathered.
The bad guy logs in, then uploads and installs the malicious code.
It’s not clear how the threat players are getting the credentials, but the researcher suggests that it could be through brute force attacks, phishing, or malware that steals information.
If you run a WordPress site and are hearing that users are seeing fake alerts, you should check the list of installed plugins right away and get rid of any that you did not install yourself.
If you find apps that you don’t know, you should also change the passwords for any admin users right away to ones that are only used on your site.