Security researchers have uncovered a significant cyberattack targeting thousands of websites using outdated WordPress versions and plugins. The attackers aim to deceive users into downloading and installing malware that can steal sensitive data, including passwords. This widespread attack primarily affects both Mac and Windows computers. The scale of the operation is alarming, and the hackers seem to target anyone visiting these compromised sites.
The Widespread and Commercialized Attack
Simon Wijckmans, the founder of c/side, a web security firm, confirmed that this hacking campaign is still ongoing. Wijckmans emphasized that the attack is highly commercialized and large in scope. Cybersecurity expert Himanshu Anand described the attack as a “spray and pay” assault, meaning the attackers are not targeting specific individuals but instead compromising everyone who visits the affected websites. This approach significantly increases the reach of the attack.
How the Attack Works
Researchers found that when users visit one of the compromised WordPress sites, the site’s content changes rapidly, displaying a false Chrome browser update page. This fake update prompts users to download a supposed update to continue using the site. If the user agrees to download the update, they are tricked into installing malware that targets their device, whether it is a Windows PC or a Mac. The malware disguises itself as a legitimate update.
Automattic’s Response
Upon discovering the attack, c/side notified Automattic, the company behind WordPress.com. They provided a list of compromised domains to help address the issue. Automattic confirmed receiving the notification. However, Megan Fox, a spokeswoman for Automattic, did not respond to inquiries from Techjuice. Despite this, it’s clear that Automattic is aware of the ongoing threat.
The Scale of the Attack
C/side researchers believe more than 10,000 websites have been affected by this cyberattack. Using reverse DNS lookup, they identified multiple compromised sites. Although Techjuice could not independently verify the data, they observed one compromised WordPress site still displaying malicious content. This suggests that the attack is vast and continues to impact high-traffic websites across the internet.
The Malware Targeting Users
The hackers behind the attack are pushing two distinct types of malware: Amos for macOS users and SocGholish for Windows users. Amos, also known as Amos Atomic Stealer, is an infostealer designed to steal login credentials, session cookies, and other sensitive information. It also targets cryptocurrency wallets. For Windows users, the malware known as SocGholish is similarly dangerous, enabling the hackers to gain access to valuable personal data.
Amos Malware and Its Proliferation
Amos malware is particularly notorious among macOS users. A report from cybersecurity firm SentinelOne revealed that the malware has become one of the most prevalent infostealers on macOS devices. Created using a malware-as-a-service model, the creators sell the Amos virus to hackers who deploy it. According to macOS security expert Patrick Wardle, Amos is one of the most prolific malware types targeting Apple devices. This highlights the growing threat to macOS users.
Difficulty in Installing Amos on macOS
Wardle further explained that users still need to manually run the malicious file for Amos to install successfully. They must bypass Apple’s built-in security features to complete the installation. While this adds a layer of difficulty, it also means that only users who ignore security warnings are likely to fall victim to the attack. Even so, the persistence of the attackers makes it a significant concern for macOS users.
Precautionary Measures to Take
To avoid falling victim to such attacks, users should always ensure their Chrome browser is up to date. Chrome’s built-in update feature helps maintain security and ensures users are protected from malicious software. Additionally, only downloading apps and software from trusted sources is crucial for preventing malware installation. Hackers rely on users failing to recognize fake update prompts to spread their malicious software.
The Impact of Data Breaches and Malware
The impact of password-stealing malware and credential theft can be catastrophic. Major data breaches have occurred as a result of stolen passwords. In 2024, hackers used passwords obtained from Snowflake clients to breach accounts belonging to high-profile business figures. This highlights the ongoing danger posed by cyberattacks and the importance of safeguarding personal and corporate information from malicious actors.