Hackers Infecting WordPress Sites with Fake Plugins and Malware Using Stolen Credentials

Hackers have been using stolen credentials to infect WordPress sites with fake plugins that deliver malware and infostealers to unsuspecting users through fake browser update prompts. This malicious campaign, based on a new variant of the ClickFix fake browser update malware, has already impacted over 6,000 sites with fake WordPress plugins since June 2024. In total, ClickFix has compromised more than 25,000 sites since August 2023, as reported by the GoDaddy security team.

The hackers behind this scheme do not exploit any known vulnerabilities to deliver the bogus plugins; instead, they rely on stolen credentials to gain access to legitimate WordPress admin accounts for each compromised site. The fake plugins are designed to appear harmless to website administrators, but they inject malicious JavaScript that contains a variation of fake browser update malware known as EtherHiding.

These fake plugins have generic names like “Advanced User Manager” or “Quick Cache Cleaner” and contain only three small files in their directories. The malicious JavaScript delivered by these plugins prompts users to install malware on their machines, such as remote access trojans (RATs) or info stealers like Vidar Stealer and Lumma Stealer.

The GoDaddy advisory suggests that the hackers may have obtained the stolen credentials through methods like brute-force attacks, phishing campaigns, or malware infections on the website admins’ computers. Implementing multi-factor authentication and other access controls could help protect against such attacks in the future. Stay vigilant and ensure your WordPress site’s security to avoid falling victim to these malicious tactics.