Hackers are exploiting outdated versions of WordPress and plug-ins to alter thousands of websites in an attempt to trick visitors to download and install malware, security researchers have found.
The hacking campaign is still “very much live,” Simon Wijckmans, the founder and CEO of web security company c/side, which discovered the attacks, told TechCrunch on Tuesday.
The hackers’ goal is to spread malware capable of stealing passwords and other personal information from both Windows and Mac users. Some of the hacked websites are ranked among the most popular sites on the internet, according to c/side.
“This is a widespread and very commercialized attack,” Himanshu Anand, who wrote up the company’s findings, told TechCrunch. Anand said the campaign is a “spray and pay” attack that aims to compromise anyone who visits these websites rather than targeting a specific person or group of people.
When the hacked WordPress sites load in a user’s browser, the content quickly changes to display a fake Chrome browser update page, requesting the website visitor download and install an update in order to view the website, the researchers found. If a visitor accepts the update, the hacked website will prompt the visitor to download a specific malicious file masquerading as the update, depending on whether the visitor is on a Windows PC or a Mac.
Wijckmans said that they alerted Automattic, the company that develops and distributes WordPress.com, about the hacking campaign and sent them the list of malicious domains, and that their contact at the company acknowledged receipt of their email.
When reached by TechCrunch prior to publication, Megan Fox, a spokesperson for Automattic, did not comment.
C/side said it identified over 10,000 websites that appear to have been compromised as part of this hacking campaign. Wijckmans said the company detected malicious scripts on several domains by crawling the internet, and performing a reverse DNS lookup, a technique to find domains and websites associated with a certain IP address, which revealed more domains hosting the malicious scripts.
TechCrunch could not confirm the accuracy of c/side’s figures, but we saw one hacked WordPress website that was still displaying the malicious content on Tuesday.
From WordPress to infostealing malware
The two types of malware that are being pushed on the malicious websites are known as Amos (or Amos Atomic Stealer), which targets macOS users; and SocGholish, which targets Windows users.
In May 2023, cybersecurity firm SentinelOne published a report on Amos, classifying the malware as an infostealer, a type of malware designed to infect computers and steal as many usernames and passwords, session cookies, crypto wallets, and other sensitive data that allows the hackers to further break into the victim’s accounts and steal their digital currency. Cybersecurity firm Cyble reported at the time that it had found that hackers were selling access to the Amos malware on Telegram.
Patrick Wardle, a macOS security expert and co-founder of Apple-focused cybersecurity startup DoubleYou, told TechCrunch that Amos is “definitively the most prolific stealer on macOS,” and was created with the malware-as-a-service business model, meaning the developers and owners of the malware sell it to the hackers who then deploy it.
Wardle also noted that for someone to successfully install on macOS the malicious file found by c/side “the user still has to then manually run it, and jump through a lot of hoops to bypass Apple’s built-in security.”
While this may not be the most advanced hacking campaign, given that the hackers rely on their targets to fall for the fake update page and then install the malware, this is a good reminder to update your Chrome browser through its in-built software update feature and to install only trusted apps on your personal devices.
Password-stealing malware and the theft of credentials have been blamed for some of the biggest hacks and data breaches in history. In 2024, hackers mass-raided the accounts of corporate giants who hosted their sensitive data with cloud computing giant Snowflake by using passwords stolen from the computers of employees of Snowflake’s customers.