Hackers are hijacking WordPress sites to push Windows and Mac malware – TechCrunch
Latest
AI
Amazon
Apps
Biotech & Health
Climate
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
Gadgets
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
Security
Social
Space
Startups
TikTok
Transportation
Venture
Events
Startup Battlefield
StrictlyVC
Newsletters
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
Hackers are exploiting outdated versions of WordPress and plug-ins to alter thousands of websites in an attempt to trick visitors to download and install malware, security researchers have found.The hacking campaign is still “very much live,” Simon Wijckmans, the founder and CEO of web security company c/side, which discovered the attacks, told TechCrunch on Tuesday.The hackers’ goal is to spread malware capable of stealing passwords and other personal information from both Windows and Mac users. Some of the hacked websites are ranked among the most popular sites on the internet, according to c/side. “This is a widespread and very commercialized attack,” Himanshu Anand, who wrote up the company’s findings, told TechCrunch. Anand said the campaign is a “spray and pay” attack that aims to compromise anyone who visits these websites rather than targeting a specific person or group of people.When the hacked WordPress sites load in a user’s browser, the content quickly changes to display a fake Chrome browser update page, requesting the website visitor download and install an update in order to view the website, the researchers found. If a visitor accepts the update, the hacked website will prompt the visitor to download a specific malicious file masquerading as the update, depending on whether the visitor is on a Windows PC or a Mac.Wijckmans said that they alerted Automattic, the company that develops and distributes WordPress.com, about the hacking campaign and sent them the list of malicious domains, and that their contact at the company acknowledged receipt of their email. When reached by TechCrunch prior to publication, Megan Fox, a spokesperson for Automattic, did not comment by press time. After publication, Automattic said that security of third-party plugins are ultimately the responsibility of WordPress plugin developers.“There are specific guidelines that plugin authors must consult and adhere to ensure the overall quality of their plugins and the safety of their users. In addition, they have at their disposal a Plugin Handbook that covers numerous security topics, including best practices and managing plugins’ security,” the spokesperson said.C/side said it identified over 10,000 websites that appear to have been compromised as part of this hacking campaign. Wijckmans said the company detected malicious scripts on several domains by crawling the internet, and performing a reverse DNS lookup, a technique to find domains and websites associated with a certain IP address, which revealed more domains hosting the malicious scripts. TechCrunch could not confirm the accuracy of c/side’s figures, but we saw one hacked WordPress website that was still displaying the malicious content on Tuesday.The two types of malware that are being pushed on the malicious websites are known as Amos (or Amos Atomic Stealer), which targets macOS users; and SocGholish, which targets Windows users. In May 2023, cybersecurity firm SentinelOne published a report on Amos, classifying the malware as an infostealer, a type of malware designed to infect computers and steal as many usernames and passwords, session cookies, crypto wallets, and other sensitive data that allows the hackers to further break into the victim’s accounts and steal their digital currency. Cybersecurity firm Cyble reported at the time that it had found that hackers were selling access to the Amos malware on Telegram. Patrick Wardle, a macOS security expert and co-founder of Apple-focused cybersecurity startup DoubleYou, told TechCrunch that Amos is “definitively the most prolific stealer on macOS,” and was created with the malware-as-a-service business model, meaning the developers and owners of the malware sell it to the hackers who then deploy it. Wardle also noted that for someone to successfully install on macOS the malicious file found by c/side “the user still has to then manually run it, and jump through a lot of hoops to bypass Apple’s built-in security.” While this may not be the most advanced hacking campaign, given that the hackers rely on their targets to fall for the fake update page and then install the malware, this is a good reminder to update your Chrome browser through its in-built software update feature and to install only trusted apps on your personal devices. Password-stealing malware and the theft of credentials have been blamed for some of the biggest hacks and data breaches in history. In 2024, hackers mass-raided the accounts of corporate giants who hosted their sensitive data with cloud computing giant Snowflake by using passwords stolen from the computers of employees of Snowflake’s customers.This story was updated to include comment from Automattic’s spokesperson.Topics
Senior Reporter, Cybersecurity
Apple CEO says DeepSeek shows ‘innovation that drives efficiency’
Google quietly announces its next flagship AI model
Google issues ‘voluntary exit’ program for Android, Chrome, and Pixel employees
Mark Zuckerberg teases a 2025 return to ‘OG Facebook’
Ai2 says its new AI model beats one of DeepSeek’s best
India lauds Chinese AI lab DeepSeek, plans to host its models on local servers
Report: Majority of US teens have lost trust in Big Tech
Subscribe for the industry’s biggest tech newsEvery weekday and Sunday, you can get the best of TechCrunch’s coverage.TechCrunch’s AI experts cover the latest news in the fast-moving field.Every Monday, gets you up to speed on the latest advances in aerospace.Startups are the core of TechCrunch, so get our best coverage delivered weekly.By submitting your email, you agree to our Terms and Privacy Notice.© 2024 Yahoo.
