WordPress websites are increasingly targeted by hackers who install harmful plugins that present fraudulent software updates and error messages, aiming to distribute information-stealing malware.
In recent years, information-stealing malware has emerged as a significant threat to cybersecurity professionals globally, as compromised credentials are exploited to infiltrate networks and extract sensitive data.
Since the beginning of 2023, a malicious initiative known as ClearFake has been employed to showcase counterfeit web browser update notifications on compromised sites, facilitating the spread of information-stealing malware.
In 2024, a new initiative named ClickFix was launched, sharing several characteristics with ClearFake but masquerading as software error alerts that offer purported solutions. These “solutions” are actually PowerShell scripts that, upon execution, download and install information-stealing malware. ClickFix campaigns have become more prevalent this year, with threat actors breaching websites to display banners featuring fake error messages for platforms such as Google Chrome, Google Meet, Facebook, and even captcha pages.
Malicious WordPress plugins
Last week, GoDaddy disclosed that the ClearFake/ClickFix threat actors have compromised over 6,000 WordPress websites to install harmful plugins that generate fraudulent alerts linked to these campaigns.
“The GoDaddy Security team is monitoring a new variant of ClickFix (also referred to as ClearFake) fake browser update malware, which is disseminated through deceptive WordPress plugins,” stated GoDaddy security researcher Denis Sinegubko.
“These plugins, which appear to be legitimate, are crafted to seem innocuous to website administrators but contain malicious scripts that present fake browser update notifications to users.” The harmful plugins often adopt names that closely resemble those of genuine plugins, such as Wordfence Security and LiteSpeed Cache, while others utilize generic, fabricated names. Additionally, website security firm Sucuri has identified a fraudulent plugin called “Universal Popup Plugin” as part of this operation.
Upon installation, the malicious plugin will hook into various WordPress actions, depending on the variant, to inject a harmful JavaScript script into the site’s HTML. Once executed, this script attempts to load another malicious JavaScript file stored within a Binance Smart Chain (BSC) smart contract, which subsequently loads the ClearFake or ClickFix script to display the fraudulent banners.
Analysis of web server access logs by Sinegubko indicates that the threat actors are likely using stolen admin credentials to access the WordPress site and install the plugin automatically. As illustrated in the accompanying image, the threat actors log in through a single POST HTTP request, bypassing the site’s login page, suggesting an automated process following the acquisition of the credentials.
While the exact method by which the threat actors are obtaining these credentials remains uncertain, the researcher suggests that it may involve prior brute force attacks, phishing schemes, or information-stealing malware. If you manage a WordPress site and are receiving notifications about fake alerts being shown to visitors, it is imperative to conduct an immediate investigation.
