Over 6,000 WordPress Sites Hacked to Install Plugins Distributing Infostealers

WordPress sites are being compromised to install malicious plugins that display fake software updates and error messages, tricking users into downloading information-stealing malware.

In recent years, information-stealing malware has posed a serious challenge for security teams worldwide, as stolen credentials have been increasingly used for network breaches and data theft.

Since 2023, a malicious campaign known as ClearFake has been responsible for showing fake browser update prompts on compromised websites, leading to the installation of info-stealing malware.

In 2024, a new campaign named ClickFix emerged, closely mirroring ClearFake, but this time masquerading as software error messages that claim to offer fixes. These so-called fixes, however, are PowerShell scripts that, when run, install information-stealing malware on the victim’s system.

ClickFix campaigns have surged in frequency this year, with cybercriminals targeting websites to present banners that display fake error messages related to Google Chrome, Google Meet conferences, Facebook, and even CAPTCHA pages.

Malicious WordPress Plugins

Last week, GoDaddy reported that the ClearFake and ClickFix threat actors have compromised over 6,000 WordPress sites, installing malicious plugins that generate fake alerts associated with these campaigns.

“The GoDaddy Security team is monitoring a new variant of ClickFix (also known as ClearFake) that spreads fake browser update malware through fraudulent WordPress plugins,” said GoDaddy security researcher Denis Sinegubko.

“These seemingly innocuous plugins are crafted to appear safe to website administrators but contain hidden malicious scripts that deliver deceptive browser update prompts to end-users.”

The malicious plugins often use names similar to legitimate ones, like Wordfence Security and LiteSpeed Cache, while others adopt generic or fabricated names.

The following is a list of the malicious plugins identified in this campaign from June to September 2024:

Website security firm Sucuri has also identified a fraudulent plugin called “Universal Popup Plugin” as part of this campaign.

Once installed, this malicious plugin can hook into various WordPress actions, depending on the variant, to inject a harmful JavaScript script into the site’s HTML.

When executed, this script attempts to load an additional malicious JavaScript file hosted in a Binance Smart Chain (BSC) smart contract. This file then loads the ClearFake or ClickFix script, which displays the deceptive banners to users.

Analysis of web server access logs by Sinegubko reveals that the threat actors are likely using stolen admin credentials to gain access to WordPress sites and install the malicious plugin automatically.

As illustrated in the image below, the attackers log in using a single POST HTTP request, bypassing the initial visit to the site’s login page. This suggests an automated process following the acquisition of the credentials.

After successfully logging in, the threat actor proceeds to upload and install the malicious plugin.

While the exact method by which the threat actors are acquiring credentials remains unclear, the researcher suggests that it could be through previous brute force attacks, phishing schemes, or information-stealing malware.

If you manage a WordPress site and have received reports of fake alerts being displayed to visitors, it’s crucial to promptly review the list of installed plugins and remove any that you did not personally install.

Additionally, if you discover any unknown plugins, you should immediately reset the passwords for all admin users, ensuring they use a unique password that is only utilized for your site.