Cybercriminals are targeting WooCommerce users with a large-scale phishing campaign, giving them backdoor access to WordPress websites.
Scammers try to entice WooCommerce users to install a ‘critical patch’ to protect their website from a supposed security vulnerability in their WooCommerce installation.
They claim that targeted websites are impacted by a non-existent ‘unauthenticated administrative access’ vulnerability, which supposedly would allow attackers to obtain unauthorized access to the victims’ website and administrative functions.
“If misused, this could compromise user data, including customer details, order details, and payment method data, potentially leading to unauthorized payments, extensive data breaches, or even losing control of your website,” a phishing email addressed to the website owner says.
WooCommerce users are strongly advised to download and install a patch that helps them fix their website. Once they click the download button, they are directed to a fake WooCommerce Marketplace page.
At first glance, the page looks like a legit website from WooCommerce. If you give it a closer look, you’ll see you’re visiting a deceptive site called ‘woocommėrce[.]com.’ The Lithuanian character ‘ė’ is used instead of the letter ‘e,’ which is easy to miss. This is called an IDN homograph attack, whose goal is to disguise itself as the official WooCommerce website.
So instead of patching their website, users actually install a plugin that creates a hidden and malicious admin account on their website, downloads an additional obfuscated payload from an attacker-controlled server, and maintains persistent access.
Once the plugin is installed, it can be used for many different attacks, including injecting malware-infected advertisements into the site, redirecting users to a malicious website, abusing the server’s resources for a DDoS attack, exfiltrating sensitive customer information, or a ransomware-enabled extortion scheme.
Researchers at cybersecurity firm Patchstack, who discovered the WooCommerce phishing campaign, note that this campaign doesn’t impact WooCommerce users as long as they don’t download and install the malicious plugin.
“Neither WordPress nor WooCommerce would ever ask you to manually download and install a patch or plugin; they would directly release a new version update instead,” the security experts emphasize.
Your email address will not be published. Required fields are markedmarked