⚠️ Fake WooCommerce Security Patch Phishing Campaign: Protect Your Site
Cybersecurity researchers have identified a sophisticated phishing campaign targeting WooCommerce users. Attackers are sending fake security alerts urging users to download a "critical patch," which, in reality, installs a backdoor on their WordPress sites. This campaign is reminiscent of a similar attack observed in December 2023, suggesting the involvement of the same threat actors or imitators.
How the Attack Works
Victims receive emails claiming their WooCommerce sites are vulnerable to a non-existent "Unauthenticated Administrative Access" issue. The emails prompt users to download a patch from a spoofed WooCommerce Marketplace page hosted on a domain like "woocommėrce[.]com" (note the special character in the domain name).
Once the malicious plugin is installed, it performs several actions:
- Creates a hidden administrator account with obfuscated credentials.
- Sends site information to external servers controlled by the attackers.
- Downloads and installs additional payloads, including web shells like P.A.S.-Fork, p0wny, and WSO.
- Conceals the malicious plugin and the unauthorized admin account from the WordPress dashboard.
Potential Risks
With full control over compromised sites, attackers can:
- Inject spam or malicious advertisements.
- Redirect visitors to fraudulent websites.
- Enlist the server into botnets for DDoS attacks.
- Encrypt server resources and demand ransom.
How to Protect Your Site
To safeguard your WooCommerce store:
- Be cautious of unsolicited emails claiming to be from WooCommerce.
- Verify the authenticity of any security alerts by checking official WooCommerce channels.
- Avoid downloading plugins or patches from unfamiliar sources.
- Regularly update your WordPress core, themes, and plugins from trusted repositories.
- Implement security measures like two-factor authentication and regular backups.