- Patchstack spotted a new phishing campaign targeting WooCommerce users
- The email warns the users about a “critical vulnerability” that must be fixed
- The “fix” is actually malware that creates a rogue admin account and drops stage-two malware
If you are a WooCommerce user, pay attention, since there is a new phishing campaign going around targeting people like yourself.
Recently, security researchers from Patchstack spotted a new phishing attack, which they described as “large-scale” and “sophisticated”. In the attack, the crooks would send an email, warning their targets about a critical vulnerability in their websites that needs to be addressed immediately.
The email also comes with a “Download Patch” link which, instead of the supposed fix, actually deploys a malicious WordPress plugin. The plugin is hosted on a website mimicking the WooCommerce Marketplace, and can be spotted in the typosquatted URL “woocommėrce[.]com” (notice the ė character).
Old actors or new copycats?
The plugin first hides itself from the list of installed plugins, and then creates a new admin account. It also hides this account from the victim and relays the credentials to the attackers. Finally, it deploys stage-two malware, which includes web shells such as P.A.S.-Fork, p0wny, and WSO.
Patchstack, which usually tracks WordPress threats, says that a similar campaign was observed back in December 2023, with the key difference being that the phishing email warned about a non-existent CVE. Since both the emails and the malware are rather similar, the researchers speculate that both attacks are either the work of the same threat actor, or that the new campaign is the work of a copycat,
“They claim the targeted websites are impacted by a (non-existent) ‘Unauthenticated Administrative Access’ vulnerability, and they urge you to visit their phishing website, which uses an IDN homograph attack to disguise itself as the official WooCommerce website,” the researchers explained.
If you are running a WordPress website with WooCommerce installed, you should scan your site for suspicious plugins and admin accounts, and make sure to update both WordPress and the plugins/themes you are running.
Via The Hacker News
