Hackers embed malicious code directly into the HTML. How to secure your resources?
Hackers are actively hacking WordPress sites to install malicious plugins and distribute fake browser updates that hide data-stealing software underneath.
Since 2023, a campaign called ClearFake has been infecting hacked sites by displaying banners with fake browser updates. In 2024, a new analogue appeared — ClickFix, which simulates program error messages with supposedly built-in "fixes". These "fixes" activate PowerShell scripts that download and install malware.
ClickFix has recently been used to create fake notifications on popular services such as Google Chrome, Google Meet, and Facebook. Also, hackers replace captchas to convince users to perform an "update".
Last week, GoDaddy reported that attackers had hacked more than 6,000 WordPress sites to install fake plugins used to inject these fake notifications. Security researcher Denis Sinegubko explained that plugins are disguised as harmless and even copy the names of legitimate extensions such as Wordfence Security and LiteSpeed Cache.
The attackers also create plugins with fictitious names, including Universal Popup Plugin, SEO Booster Pro, and Custom CSS Injector. These plugins inject malicious JavaScript scripts into the HTML code of websites, leading to the display of fake notifications.
Analysis of web server logs shows that hackers use stolen administrator data to automatically log in to sites. Hacking occurs through a single POST request, bypassing the standard login page, which indicates pre-obtained credentials.
The causes of the data leak remain unclear, but researchers speculate that it could have been obtained through phishing attacks, brute force, or malware. If fake notifications are detected, site administrators are advised to immediately check the list of plugins, remove suspicious ones, and change passwords to unique ones.
Source
Hackers are actively hacking WordPress sites to install malicious plugins and distribute fake browser updates that hide data-stealing software underneath.
Since 2023, a campaign called ClearFake has been infecting hacked sites by displaying banners with fake browser updates. In 2024, a new analogue appeared — ClickFix, which simulates program error messages with supposedly built-in "fixes". These "fixes" activate PowerShell scripts that download and install malware.
ClickFix has recently been used to create fake notifications on popular services such as Google Chrome, Google Meet, and Facebook. Also, hackers replace captchas to convince users to perform an "update".
Last week, GoDaddy reported that attackers had hacked more than 6,000 WordPress sites to install fake plugins used to inject these fake notifications. Security researcher Denis Sinegubko explained that plugins are disguised as harmless and even copy the names of legitimate extensions such as Wordfence Security and LiteSpeed Cache.
The attackers also create plugins with fictitious names, including Universal Popup Plugin, SEO Booster Pro, and Custom CSS Injector. These plugins inject malicious JavaScript scripts into the HTML code of websites, leading to the display of fake notifications.
Analysis of web server logs shows that hackers use stolen administrator data to automatically log in to sites. Hacking occurs through a single POST request, bypassing the standard login page, which indicates pre-obtained credentials.
The causes of the data leak remain unclear, but researchers speculate that it could have been obtained through phishing attacks, brute force, or malware. If fake notifications are detected, site administrators are advised to immediately check the list of plugins, remove suspicious ones, and change passwords to unique ones.
Source
