A new wave of attacks: hackers use WordPress to spy on Windows & Mac
31 January 06:50
Hackers use outdated versions of WordPress and plugins to change the content of websites and force visitors to download malware. This was reported by researchers from c/side, a company specializing in web security, Komersant ukrainskyi reports citing TechCrunch.
The hacker campaign is still ongoing. The goal of the attackers is to spread malicious software that can steal passwords and other personal information of users.
According to c/side, some of the hacked websites are among the most popular sites on the Internet.
“This is a widespread and highly commercialized attack,” the company said.
This campaign is a “spray and pay” attack that aims to compromise anyone who visits these websites, not a specific person or group of people.
What happened
Hackers hack into WordPress sites and force people to download viruses that steal passwords and personal data.
The hacked sites spoof their content and display a fake Chrome update page, prompting visitors to download the virus under the guise of an update. If the visitor agrees to the update, the hacked website will prompt the visitor to download a specific malicious file that is disguised as an update, depending on whether the visitor is using a Windows or Mac computer.
Cybersecurity experts have alerted Automattic, the company that develops and distributes WordPress.com, to the hacking campaign and sent them a list of malicious domains.
Automattic stated that the security of third-party plugins is the responsibility of WordPress plugin developers.
10,000 WordPress sites are spreading malware
Researchers from c/side have identified more than 10,000 sites that have fallen victim to this attack.
Two types of malware that are being pushed to malicious websites are known as Amos (or Amos Atomic Stealer), which targets macOS users; and SocGholish, which targets Windows users.
Both of these viruses can steal passwords, cookies, cryptocurrency wallets, and other sensitive data.

To identify the malicious scripts, researchers scanned the Internet and conducted reverse DNS lookups. The attacked sites even include popular resources. Experts emphasize that for macOS, the installation of the virus requires the user to manually run the file and bypass Apple’s protection, but many people may not notice the danger.
How to protect yourself
As a first step, update your WordPress installation. Update your plugins, evaluate their usage, and remove those that are not in use.
Look for scripts and remove them if you find them. Attackers often leave a backdoor. Find and remove them.
If you find these scripts on your site, cybersecurity experts strongly recommend reviewing the logs from the last 90 days to find any signs of compromise or malicious activity.
If you have downloaded any files from the affected websites, it is recommended that you thoroughly clean your system to mitigate potential malware infection.