Ref# AL2024_37 | Date: Oct 24th 2024

---

Description

WordPress websites are increasingly being targeted by threat actors who install malicious plugins that push information-stealing malware to unsuspecting visitors. These plugins display fake software updates and error messages to trick users into executing malicious scripts. Two significant campaigns, ClearFake and ClickFix, have been identified as the primary perpetrators, with over 6,000 WordPress sites reportedly compromised. These attacks are particularly alarming for website owners, as they exploit stolen credentials to inject harmful code into legitimate websites, affecting site visitors and posing a serious threat to both individual users and businesses.

Attack Details

The ClearFake campaign, which began in 2023, uses compromised websites to display fake web browser update banners. When unsuspecting users click on these banners, they unknowingly download and install information-stealing malware. This malware is designed to extract sensitive data from users, such as login credentials, which threat actors can use to further infiltrate networks and steal additional information. ClearFake exploits the trust users place in common browser update notifications, making it an effective method for distributing malware.

In 2024, a new, more sophisticated campaign called ClickFix emerged. Similar to ClearFake, ClickFix also aims to install information-stealing malware but does so under the guise of fake software error messages. These error messages claim to offer fixes but instead prompt users to execute malicious PowerShell scripts, which then download the malware. ClickFix has grown increasingly common, with fake error banners impersonating trusted applications like Google Chrome, Facebook, and Google Meet. The attackers have compromised thousands of WordPress sites by installing malicious plugins, which appear legitimate but hide harmful scripts. Examples of such plugins include LiteSpeed Cache Classic, Wordfence Security Classic, and SEO Booster Pro. These plugins inject JavaScript into the site’s HTML, which then loads additional malicious scripts from a Binance Smart Chain (BSC) smart contract, tricking users into downloading malware.

Remediation

If you suspect your WordPress site has been compromised by these attacks, immediate action is necessary to protect both your site and visitors.

• Examine Installed Plugins: Review all plugins on your WordPress site and look for any that you did not install. Pay attention to plugins that sound legitimate but are unfamiliar or out of place.
• Remove Malicious Plugins: Immediately delete any unknown or suspicious plugins from your site.
• Reset Admin Credentials: Change all administrative user passwords to unique, complex passwords that are not used on any other site. Consider implementing two-factor authentication (2FA) for added security.
• Monitor Access Logs: Check your website’s access logs for any unusual login activity, particularly POST requests that bypass the standard login page.
• Regular Security Audits: Regularly scan your website for vulnerabilities and malicious scripts. Use security plugins to monitor for unauthorized changes or suspicious activity.
• Educate Users: Warn your site visitors about potential fake alerts and encourage them not to click on unexpected update or error messages.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Malicious WordPress Plugins ClickFix and ClearFake Campaigns Compromise Thousands of Sites

References 

1. Abrams, L. (2024, October 21). Over 6,000 WordPress hacked to install plugins pushing infostealers. Retrieved from BleepingComputer. https://www.bleepingcomputer.com/news/security/over-6-000-wordpress-hacked-to-install-plugins-pushing-infostealers/
2. Sinegubko, D. (2024, October 17). Threat actors push ClickFix fake browser updates using stolen credentials. Retrieved from GoDaddy Blog. https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials