Over 6,000 WordPress Sites Compromised by Malicious Plugin Campaign

• The number of WordPress websites compromised by malicious plugin campaigns that push infostealers crossed 6,000.
• ClearFake and its variant ClickFix have made the news before, using stolen credentials to steal sensitive data.
• Hackers use legitimate plugin names such as Wordfense Security and LiteSpeed Cache, which they embed with malicious scripts.

A significant security breach has compromised over 6,000 WordPress sites worldwide, leading to the installation of malicious plugins designed to push information-stealing malware. Hackers used stolen credentials to infiltrate networks and exfiltrate sensitive data in these attacks.

The malicious campaign, identified as ClearFake and its variant ClickFix, has been manipulating WordPress sites to display counterfeit error messages and browser update prompts. These fake alerts aim to deceive users into executing PowerShell scripts that download and install malware capable of stealing critical information.

In 2024, the ClickFix campaign emerged, characterized by its deceptive appearance as software error messages, tricking users into downloading malware under the guise of error resolutions. Affected platforms include Google Chrome, Google Meet, Facebook, and captcha pages, demonstrating the widespread reach and adaptability of this threat.

Threat actors behind ClearFake/ClickFix have exploited WordPress sites to install seemingly legitimate plugins embedded with malicious scripts. These plugins mimic names of authentic ones, such as "Wordfense Security" and "LiteSpeed Cache," or use fabricated titles like "Universal Popup Plugin."

Once installed, these plugins hook into various WordPress actions to inject malicious JavaScript into the site's HTML. This script subsequently loads additional malicious JavaScript stored on the Binance Smart Chain (BSC), which then activates the ClearFake or ClickFix scripts to display the fraudulent alerts.

Through analysis of web server access logs, it has been determined that the attackers are utilizing stolen admin credentials to execute automated logins via POST HTTP requests, bypassing the traditional login page process. This suggests a high level of sophistication and automation in the attack methodology.

In August, security researchers discovered a Remote Access Trojan (RAT) linked to the malicious ClearFake campaign, pushed by hackers via compromised websites that urge users to fix a bogus issue and install infostealers.

A new campaign active since late April 2024 acts as a Fake Browser Update, infecting vulnerable sites to show malicious pop-ups promoting a Web browser update. However, it hides behind a legitimate WordPress plugin to evade discovery by file scanners and downloads malware when clicked.