Hackers are exploiting outdated versions of WordPress and plug-ins to alter thousands of websites. They are trying to trick visitors into downloading and installing malware. The hacking campaign is still “very much live,” said Simon Wijckmans.
He is the founder and CEO of web security company c/side, which discovered the attacks. The hackers’ goal is to spread malware capable of stealing passwords and other personal information from both Windows and Mac users. Some of the hacked websites are ranked among the most popular sites on the internet, according to c/side.
“This is a widespread and very commercialized attack,” said Himanshu Anand, who documented the company’s findings. Anand described the campaign as a “spray and pray” attack. It aims to compromise anyone who visits these websites rather than targeting a specific person or group of people.
WordPress vulnerabilities lead to malware
When the hacked WordPress sites load in a user’s browser, the content quickly changes to display a fake Chrome browser update page. It prompts the website visitor to download and install an update, the researchers found.
If a visitor accepts the update, the hacked website will prompt the visitor to download a specific malicious file masquerading as the update. This depends on whether the visitor is on a Windows PC or a Mac. Wijckmans said that they alerted Automattic about the hacking campaign and sent them a list of malicious domains.
Automattic is the company that develops and distributes WordPress.com. Their contact at the company acknowledged receipt of their email. When reached for comment prior to publication, Megan Fox, a spokesperson for Automattic, did not respond by press time.
After publication, Automattic said that the security of third-party plugins is ultimately the responsibility of WordPress plugin developers.
