![How To Align the SEO Process With AI Discovery [Infographic]](https://imgproxy.divecdn.com/9P2R5ZZoepHyBzf0CW-n2EgWRhr-_OdwsznROe_GvnM/g:ce/rs:fit:770:435/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9haV9zZWFyY2hfaW5mbzIucG5n.webp)
WooCommerce phishing campaign uses fake patch to lure victims into installing backdoors
Researchers are warning about a large-scale, sophisticated attack targeting WooCommerce users.
- Patchstack spotted a new phishing campaign targeting WooCommerce users
- The email warns the users about a "critical vulnerability" that must be fixed
- The "fix" is actually malware that creates a rogue admin account and drops stage-two malware
If you are a WooCommerce user, pay attention, since there is a new phishing campaign going around targeting people like yourself.
Recently, security researchers from Patchstack spotted a new phishing attack, which they described as “large-scale” and “sophisticated”. In the attack, the crooks would send an email, warning their targets about a critical vulnerability in their websites that needs to be addressed immediately.
The email also comes with a “Download Patch” link which, instead of the supposed fix, actually deploys a malicious WordPress plugin. The plugin is hosted on a website mimicking the WooCommerce Marketplace, and can be spotted in the typosquatted URL "woocommėrce[.]com" (notice the ė character).
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.
Preferred partner (What does this mean?)View Deal
Old actors or new copycats?
The plugin first hides itself from the list of installed plugins, and then creates a new admin account. It also hides this account from the victim and relays the credentials to the attackers. Finally, it deploys stage-two malware, which includes web shells such as P.A.S.-Fork, p0wny, and WSO.
Patchstack, which usually tracks WordPress threats, says that a similar campaign was observed back in December 2023, with the key difference being that the phishing email warned about a non-existent CVE. Since both the emails and the malware are rather similar, the researchers speculate that both attacks are either the work of the same threat actor, or that the new campaign is the work of a copycat,
"They claim the targeted websites are impacted by a (non-existent) 'Unauthenticated Administrative Access' vulnerability, and they urge you to visit their phishing website, which uses an IDN homograph attack to disguise itself as the official WooCommerce website," the researchers explained.
If you are running a WordPress website with WooCommerce installed, you should scan your site for suspicious plugins and admin accounts, and make sure to update both WordPress and the plugins/themes you are running.
Via The Hacker News
You might also like
- Malicious Python packages are stealing vital data, and have been downloaded thousands of times already
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
