A new variant of the infamous ClearFake malware (AKA ClickFix) has been detected in the wild and has already managed to compromise thousands of WordPress websites.
GoDaddy researchers claim to have discovered a variant of this campaign, which installs malicious plugins on the website builder’s sites. The threat actors would use credentials stolen elsewhere (or purchased on the black market) to log into the website’s WordPress administrator account and install a seemingly benign plugin.
The victims are then tricked into downloading an update, which is nothing more than a piece of malware that steals sensitive data, or does something else, but equally sinister.
Thousands of compromised websites
In turn, the plugin displays various pop-ups, asking victims to perform various actions (all leading to installation of infostealers).
The entire process is automated, GoDaddy says, and more than 6,000 WordPress websites have fallen victim so far.
“These apparently legitimate plugins are designed to appear harmless to website administrators, but contain embedded malicious scripts that deliver fake browser update prompts to end users,” the researchers say. The plugins are “seemingly legitimate” because they carry well-known names in the WordPress world, such as Wordfense Security or LiteSpeed Cache.
Here’s the full list of plugins spotted so far:
LiteSpeed Cache Classic
MonsterInsights classic
Wordfence Security classic
Search Rank Booster
SEOBooster Pro
Google SEO Enhancer
Rank Booster Pro
Admin bar customizer
Advanced user manager
Advanced widget management
Content blocker
Universal popup plugin
ClearFake is a type of malware attack that we have all seen in the past: a website is compromised and used to display a fake pop-up notification. This notification usually mimics an antivirus warning or a browser notification, informing the user that their computer is infected with a virus or is out of date and therefore cannot display the desired website.
Via BleepingComputer