WordPress sites are being hacked to install malicious plugins that show fake software updates and bugs to push information-stealing malware.
Over the past few years, information-stealing malware has become a scourge for security guards worldwide as stolen credentials are used to breach networks and steal data.
Since 2023, a malicious campaign called ClearFake has been used. Display fake web browser update banners. On compromised websites that distribute information-stealing malware.
In 2024, a new campaign called ClickFix was introduced that bears many similarities to ClearFake but instead pretends to be software error messages with included fixes. However, these “fixes” are PowerShell scripts that, when executed, will download and install information-stealing malware.
Click-fix campaigns have become increasingly common this year, with threat actors compromising sites to display banners displaying fake errors. Google Chrome, Google Meet ConferencesFacebook, and even Captcha pages.
Malicious WordPress plugins
last week, GoDaddy reported. that ClearFake/ClickFix threat actors have breached more than 6,000 WordPress sites to install malicious plugins that display fake alerts associated with these campaigns.
“The GoDaddy security team is detecting a new version of ClickFix (also known as ClearFake) fake browser update malware that is distributed via fake WordPress plugins,” explains a GoDaddy security researcher. Dennis Senegubko.
“These seemingly legitimate plug-ins are designed to appear harmless to website administrators but contain embedded malicious scripts that provide end users with fake browser update prompts.”
Malicious plugins use names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names.
Here is the list of malicious plugins seen in this campaign between June and September 2024:
LiteSpeed Cache Classic | Custom CSS Injector |
MonsterInsights Classic | Custom footer generator |
Wordfence Security Classic | Custom login styler |
Find a rank booster. | Dynamic Sidebar Manager |
SEO Booster Pro | Easy Themes Manager |
Google SEO Booster | Form Builder Pro |
Rank Booster Pro | Quick cache cleaner |
Admin bar customizer | Responsive Menu Builder |
Advanced User Manager | SEO Optimizer Pro |
Manage advanced widgets. | Simple post enhancer |
Content Blocker | Social Media Integrator |
Website Security Firm Juice Also noted that a fake plugin called “Universal Popup Plugin” is also part of this campaign.
Once installed, the malicious plugin will hook various WordPress actions that will inject malicious JavaScript script into the site’s HTML depending on the type of site.
When loaded, this script will attempt to load another malicious JavaScript file Binance Smart Chain (BSC) smart contractwhich then loads the ClearFake or ClickFix scripts to display the fake banners.
From web server access logs analyzed by Sinegubko, threat actors appear to be using stolen admin credentials to log into a WordPress site and automatically install plugins.
As you can see from the image below, threat actors log in via a single POST HTTP request instead of going to the site’s login page first. This indicates that this is being done automatically after credentials are already obtained.
After the threat actor logs in, they upload and install malicious plugins.
While it’s unclear how the threat actors are obtaining the credentials, the researcher notes that it could be through previous brute-force attacks, phishing, and information-stealing malware.
If you’re a WordPress operation and are receiving reports of visitors being shown fake alerts, you should immediately review your list of installed plugins, and remove any you haven’t installed yourself. .
If you find unknown plugins, you should reset any admin users’ passwords to unique passwords used only on your site.