Cybercriminals are actively exploiting outdated versions of WordPress and its plug-ins to hijack thousands of websites, tricking visitors into downloading malware, security researchers have discovered.
The large-scale hacking campaign remains ongoing, according to Simon Wijckmans, CEO of web security firm c/side, which uncovered the attack.
The goal of the attackers is to distribute malware capable of stealing passwords and personal data from both Windows and Mac users. Some compromised sites rank among the most popular on the internet, c/side reports. Himanshu Anand, a researcher at the firm, described it as a “spray and pay” attack, meaning it indiscriminately targets anyone visiting the infected websites rather than specific individuals or groups.
When users load an affected website, the page swiftly redirects to a fake Chrome update notification, urging them to download and install the so-called update. If a visitor accepts, the site delivers a malicious file tailored to their operating system, either Windows or macOS.
Wijckmans said his team has notified Automattic, the company behind WordPress.com, providing them with a list of malicious domains involved in the attack. While an Automattic representative acknowledged receipt of the report, the company has not issued an official response.
C/side estimates that over 10,000 websites have been compromised so far. The firm identified infected domains by scanning the web and using reverse DNS lookup techniques.
