Security experts have discovered a hacking operation that targets websites using outdated WordPress versions and plugins to modify content and trick users into installing malware. Simon Wijckmans, founder and CEO of online security startup c/side, told TechCrunch the effort is still ongoing. Attackers intend to distribute malware that steals passwords and personal information from Windows and Mac users. C/Side has discovered that some infected websites are among the most popular on the Internet.
Himanshu Anand, a researcher at c/side, described the operation as a “spray and pay” strategy aimed at infecting any visitor to these sites rather than specific targets. Infected WordPress sites present users with a fake Chrome update message which, if accepted, results in the download of a malicious file disguised as an update. Wijckmans alerted Automattic, the company behind WordPress.com, and provided them with information about the malicious sites.
Although Automattic representative Megan Fox declined to comment, c/side found more than 10,000 potentially affected websites. The organization detected malicious scripts on numerous domains through web scans and reverse DNS lookups, leading to the discovery of additional affected sites.
This hacking campaign promotes two types of information-stealing malware: Amos, which targets Mac users, and SocGholish, which targets Windows users. According to SentinelOne's May 2023 report, Amos is an information stealer intended to collect sensitive information such as usernames, passwords, and digital currency credentials, which could lead to breaches of additional accounts. macOS security specialist Patrick Wardle pointed out that installing Amos requires many steps, indicating that Apple's security defenses are resilient.
Despite the simplicity of the hacking tactic, which relied on deceptive update prompts, the campaign reiterates the importance of using genuine software updates and downloading trusted apps to protect personal devices. This type of malware and credential theft has been associated with major hacks and data breaches, including the major 2024 incident involving Snowflake and its customers' stolen passwords.
Learn about Code Labs Academy’s Cybersecurity Bootcamp and start your career in cybersecurity today!