Hackers abduct WordPress sites to press Windows and Mac Malware

Hackers operate outdated versions of WordPress and plugins to change thousands of websites in an attempt to lure visitors to download and install malware, security researchers found.

The hacker campaign is still “Live”, Simon Wickkmans, founder and CEO of web Security Company C/Side, which opened the attacks, Tuesday told TechCrunch on Tuesday.

The purpose of hackers is to distribute malware capable of stealing passwords and other personal information from both Windows users and MAC. Some of the hacked websites are ranked among the most popular websites on the Internet, according to C/Side.

“It’s a widespread and very commercialized attack,” writes Himanu Anand, who writes Over the company’s findingsHe told TechCrunch. Anand said the campaign is a “spraying and payment attack” that aims to compromise anyone who visits these websites rather than targeting a specific person or group of people.

When the wordpress hacked sites are loaded into the user’s browser, the content is quickly changing to show a fake Chrome browser page by asking to download the visitor to the website and install an update to view the website, the researchers have found. If a visitor accepts the update, the hacker website will prompt the visitor to download a specific malicious file disguised as an update, depending on whether the visitor is on a Windows or Mac computer.

Wijckmans said they have signaled Automattic, the company that develops and distributes WordPress, about the hacker campaign and sent them the list of malicious domains and that their contact with the company confirmed the receipt of their email.

When it was reached by TechCrunch before posting, Megan Fox, a spokesman for Automattic, did not comment.

C/Side said it identifies over 10,000 websites that seem to have been compromised as part of this hacking campaign. Wijckmans said the company has found malicious scripts of several domains by crawling the Internet and performing a DNS search, domain and websites technique connected to a particular IP address that reveals more domains hosted malicious scripts.

TechCrunch could not confirm the accuracy of C/Side figures, but we saw a hacked WordPress website that still shows the malicious content on Tuesday.

From WordPress to infosting malware

The two types of malware that are pressed on malicious websites are known as Amos (or Amos Atomic Stealer), which is aimed at MacOS users; and Socgholish, which is aimed at Windows users.

In May 2023, a cybersecurity company Sentinelone published a report of Amos, classifying malware as infoosterA type of malware designed to infect computers and steal so many usernames and passwords, session cookies, crypto portfolios and other sensitive data that allow hackers to break into the victim’s accounts and steal their digital currency. Cybersecurity Company has been reported At the time, when he had found that hackers were selling access to Telegram’s AMOS malware.

Patrick Wardell, Makos Security Expert and Co -Founder of Launch cybersecurity focused on applesHe told TechCrunch that AMOS was “the final MacOS thefts” and was created with the Malware Business Model as a service, which means that developers and malware owners sell it to hackers who then deploy it.

Wardle also noted that someone to install MacOS successfully, the malicious file found by C/Side, “The user still has to start it manually and skip many hoops to circle Apple’s built -in security.”

Although this may not be the most modern hacker campaign, given that hackers rely on their goals to get on the fake update page and then install malware, this is a good reminder of updating your browser Chrome Through its built -in software update feature And install only reliable applications on your personal devices.

Abuses of password theft and theft of identification data have been accused of some of the biggest hacks and violations of data in history. In 2024, hackers massively collect the accounts of corporate giants that host their sensitive data with Cloud Computing Giant Snowflake Using passwords stolen from Snowflake’s customer employees’ computersS