Hajra Naz
Hackers are abusing outdated WordPress versions and vulnerable plug-ins to compromise thousands of websites. Their objective is to deceive visitors into downloading and introducing malware, according to security researchers.
A Live and Widespread Attack
Simon Wijckmans, founder and CEO of web security company c/side, which discovered the attack, confirmed that the hacking campaign is still ongoing.
The malware is planned to take passwords and personal information from both Windows and Mac users. A few of the compromised websites rank among the most well-known on the internet, making the risk even more alarming.
A “Spray and Pay” Cyberattack
Himanshu Anand, a security researcher at c/side, portrays the campaign as a “spray and pay” attack, meaning hackers point to contaminate as numerous users as possible or maybe focus on particular individuals.
When a user visits an infected WordPress site, the content changes to show a fake Chrome browser upgrade page. This prompts the visitor to download a malicious file disguised as an overhaul, with diverse adaptations for Windows and macOS.
WordPress Developer Alerted
Wijckmans reported the attack to Automattic, the company behind WordPress.com, sharing details of the malicious domains. While Automattic acknowledged receipt of the report, spokesperson Megan Fox declined to comment.
Read More: WordPress AMP Plugin Vulnerability Affects Up To 100,000+ Sites
Over 10,000 Websites Affected
C/side’s investigation revealed that over 10,000 websites have been compromised. By crawling the internet and performing reverse DNS lookups, the security firm identified multiple domains hosting malicious scripts.
They were unable to verify the exact number of affected sites but confirmed at least one WordPress website was still displaying malicious content.
Malware Targeting Windows and Mac Users
The attack deploys two distinct types of malware:
- Amos (Atomic Stealer): Targets macOS users, stealing passwords, session cookies, crypto wallets, and other sensitive data.
- SocGholish: Targets Windows users with similar infostealing capabilities.
Amos: A Leading macOS Threat
In May 2023, cybersecurity firm SentinelOne classified Amos as an infostealer. Hackers have been selling access to this malware on Telegram, according to cybersecurity firm Cyble.
Patrick Wardle, a macOS security expert and co-founder of Apple-focused cybersecurity startup DoubleYou, described Amos as “the most prolific stealer on macOS.” He explained that while installing the malware requires users to bypass Apple’s built-in security, it remains a significant threat.
How to Stay Safe
Although this attack relies on tricking users into downloading fake updates, it serves as a critical reminder to stay vigilant:
- Always update Chrome through its built-in software update feature.
- Download and install applications only from trusted sources.
- Enable security features on your operating system to prevent unauthorized installations.
The Bigger Picture: Password Theft and Major Breaches
Password-stealing malware has been dependable for a few of the most critical cyberattacks in history. In 2024, hackers abused stolen credentials to breach corporate accounts hosted on cloud computing giant Snowflake. This highlights the progressing risks of credential theft and the significance of solid cybersecurity practices.
By remaining informed and cautious, users can decrease their chance of falling victim to these broad cyber threats.
