A new variant of the infamous ClearFake malware (also known as ClickFix) has been detected and has already managed to compromise thousands of WordPress websites.
GoDaddy researchers claim to have detected a variant of this campaign, which installs malicious plugins on the website builder's sites. Threat actors would use credentials stolen elsewhere (or purchased on the black market) to log into the Website's WordPress administrator account and install a seemingly benign plugin.
Victims are then prompted to download an update, which is simply a piece of malware that steals sensitive data or does something else, but equally sinister.
Thousands of websites compromised
In turn, the plugin displays several pop-ups, asking victims to perform different actions (all of which lead to the installation of information stealers).
The entire process is automated, says GoDaddy, and so far more than 6,000 WordPress websites have fallen victim.
“These seemingly legitimate plugins are designed to appear harmless to website administrators, but contain embedded malicious scripts that send fake browser update messages to end users,” the researchers say. The plugins are “seemingly legitimate” as they carry well-known names in WordPress. world, like Wordfense Security or LiteSpeed Cache.
Here is the full list of plugins detected so far:
LiteSpeed Classic Cache
MonsterInsights Classic
Wordfence Security Classic
Search Ranking Enhancer
SEO Booster Pro
Google SEO Booster
Professional Rank Upgrade
Admin Bar Customizer
Advanced User Manager
Advanced widget management
Content blocker
Universal Popup Plugin
ClearFake is a type of malware attack that we have all seen in the past: a website is compromised and used to display a fake pop-up notification. This notification usually imitates an antivirus warning or browser notification and informs the user that their computer is infected with a virus or is out of date and therefore cannot display the desired website.
Through beepcomputer