Over 10,000 WordPress sites found showing fake Google browser update pages to spread malware

News
By
published

Affected sites were running an older version of WordPress

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)
  • Researchers discover 10,000 compromised WordPress sites
  • The sites were embedded with malicious JavaScript code
  • The goal was to deliver infostealers to victims

Ten thousand WordPress websites were being used to deliver infostealing malware to victims running both Windows and macOS devices, experts have warned.

A report from cybersecurity researchers at c/side claims a threat actor likely compromised different WordPress sites using an older version of the platform (6.7.1) and with it - an older, outdated plugin. Once the sites are breached, the attackers would deploy malicious JavaScript code, which would generate a fake page in an iframe, to the visitors.

When a victim visits one of these sites, they would see an overlaid page stating they need to update their browser if they want to view the contents of the page. However, instead of downloading a patch, the victims would get either Atomic (AKA AMOS, a popular infostealer for macOS), or SocGholish (basically the same thing, just for Windows).

Stealing sensitive files

These infostealers would grab all sorts of sensitive information from the target endpoint - from passwords stored in the browser, to session cookies, cryptocurrency wallet information, and other potentially sensitive files.

Defending against these attacks requires web administrators to keep their sites up to date.

The WordPress website builder platform, for starters, should be upgraded to version 6.7, released in mid-November, 2024. The admins should then go through all the themes and plugins they have installed, and remove all the ones they’re not using. The remaining ones should then be updated, as well.

Finally, admins should look for malicious scripts and delete them. C/side claims that attackers leave a backdoor most of the time, to be able to easily return, if need be. If they do find traces of compromise, they should also review logs from the last 90 days to identify what kind of malicious activity was done.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.