A significant cybersecurity threat has been identified as hackers exploit outdated versions of WordPress and its plugins to alter thousands of websites. This ongoing attack is aimed at tricking visitors into downloading and installing malware, security researchers reported this week. The cybercriminals behind this campaign are utilizing compromised websites to distribute two types of malware designed to steal personal data from both Windows and Mac users, including passwords, session cookies, and crypto wallet information.
According to Simon Wijckmans, CEO of the web security firm c/side, which uncovered the attack, the hackers are spreading malware via a “spray and pay” approach, targeting any user who visits the infected websites rather than focusing on specific individuals or groups. The hackers’ goal is clear: to deploy malicious software capable of harvesting personal information from unsuspecting users.
The hacking campaign was first detected when c/side researchers found that compromised WordPress sites were being altered to show a fake Chrome browser update page. When users attempt to visit these sites, they are immediately presented with a message prompting them to download and install an update to view the content. If the visitor agrees, the malicious website directs them to download a malware file disguised as the update. The type of malware delivered depends on the visitor’s operating system—Windows or Mac.
The malware being distributed in this campaign includes two known types: Amos (also called Amos Atomic Stealer) and SocGholish. Amos, a malware targeting macOS systems, is particularly dangerous as it can steal sensitive data, including usernames, passwords, session cookies, and even cryptocurrency wallets. The malware is part of a broader “malware-as-a-service” model, where hackers purchase the malware from developers and use it in their attacks.
Patrick Wardle, a macOS security expert, emphasized that Amos is one of the most prolific “info stealers” targeting macOS. However, he pointed out that users still need to manually run the malware once it has been downloaded. This requirement for user intervention adds a layer of complexity, as macOS has built-in security mechanisms that might prevent unauthorized execution of malicious software.
In contrast, the SocGholish malware, which targets Windows users, has been widely reported in previous attacks. This malware is designed to steal passwords and other sensitive data, posing significant risks to individuals and organizations alike. Once the malware is installed on a victim’s device, it provides the hackers with access to login credentials, which can then be exploited to infiltrate other accounts or systems.
The security team at c/side has identified over 10,000 compromised websites linked to this attack. Their investigation revealed that the malware is being spread through a network of WordPress sites by exploiting outdated software and unpatched plugins. The researchers used reverse DNS lookups to uncover additional domains hosting the malicious scripts, further expanding the scope of the attack.
In response to these findings, c/side alerted Automattic, the company behind WordPress, providing them with a list of the compromised websites. Although Automattic acknowledged the receipt of this information, they have not yet issued a public statement regarding the issue. As of now, the attack continues to be active, and the affected websites remain a threat to unsuspecting visitors.
This attack serves as a stark reminder of the risks associated with outdated software. Security experts emphasize the importance of regularly updating both WordPress and its plugins to patch any known vulnerabilities. Moreover, users should be cautious when downloading updates or software from untrusted sources. The use of fake update prompts is a well-known tactic employed by hackers to spread malware, and this latest campaign highlights the effectiveness of this method.
In recent years, password-stealing malware has been linked to some of the largest data breaches and cyberattacks. In 2024, hackers used stolen passwords to raid corporate accounts hosted by cloud computing provider Snowflake, highlighting the far-reaching consequences of credential theft. As more businesses and individuals rely on online platforms for personal and professional activities, the need for robust cybersecurity measures has never been more critical.
For individuals, it is crucial to ensure that any software or browser updates are only installed through official channels, such as in-built update features for browsers like Chrome. Additionally, installing software only from trusted sources and exercising caution when downloading files or updates can help mitigate the risk of falling victim to such attacks. Furthermore, implementing strong, unique passwords for each account and utilizing two-factor authentication can significantly reduce the chances of successful cyberattacks targeting sensitive information.
This hacking campaign serves as a wake-up call for both website owners and users, underscoring the importance of maintaining up-to-date security practices to protect against evolving threats in the digital landscape. As hackers continue to adapt their tactics, vigilance and proactive cybersecurity measures are essential to minimizing the impact of such attacks.