- Patchstack saw a new Phishing campaign aimed at Wooocommerce users
- Email warns users about “critical vulnerability” that must be solved
- The “solution” is actually malware that creates a rogue administrator account and drops stage malware and two
If you are a Woocommerce user, pay attention, since there is a new Phishing campaign that addresses people like you.
Recently, Patchstack security researchers saw a new Phishing attack, which described as “large -scale” and “sophisticated.” In the attack, criminals would send an email, warning their objectives about a critical vulnerability on their websites that must be addressed immediately.
The email also comes with a “Download Patch” link that, instead of the alleged solution, actually implements a malicious complement to WordPress. The complement is housed on a website that mimics the Woocommerce market, and can be seen in the typographic URL “Woocommėrce[.]com “(observe the character ė).
Old actors or new imitators?
The first complement is hidden from the list of accessories installed, and then creates a new administration account. It also hides this account of the victim and transmits the credentials to the attackers. Finally, implements two-stage malware, which includes web projectiles such as Pas-Fork, P0WNY and WSO.
Patchstack, which generally tracks WordPress threats, says that a similar campaign was observed in December 2023, with the key difference that Phishing’s email warned about a non -existent CVE. Since both emails and malware are quite similar, researchers speculate that both attacks are the work of the same threat actor or that the new campaign is the work of an imitator,
“They affirm that the specific websites are affected by an administrative access vulnerability” not existing), and they urge you to visit their Phishing website, which uses an IDN homographer attack to disguise themselves as the official Woocommerce website, “the researchers explained.
If you are running a WordPress website with Wooocommerce installed, you must scan your site in search of suspicious accessories and administration accounts, and be sure to update both WordPress and the complements/themes you are running.
Through The hacker news
