- Patchstack has spotted a new phishing campaign targeting Woocommerce users
- The email warns users of a “critical vulnerability” which must be corrected
- The “corrective” is actually malicious software that creates a thug administration account and drops the scenario malware
If you are a WooCommerce user, be careful because there is a new phishing campaign that targets people like you.
Recently, patchstack safety researchers have spotted a new phishing attack, which they described as “on a large scale” and “sophisticated”. In the attack, the crooks would send an email, warning their objectives concerning a critical vulnerability in their websites which must be treated immediately.
E-mail is also delivered with a “download patch” link which, instead of Fixed Supplied, actually deploys a malicious WordPress plugin. The plugin is hosted on a website imitating the WooCommerce market and can be spotted in the typosquatied “WooocomMece URL[.]com “(notice the character ė).
Former actors or new copies?
The plugin is first hidden from the list of installed plugins, then creates a new administration account. He also hides this victim’s account and relays the information of identification with attackers. Finally, it deploys malware, which includes web shells such as Pas-Fork, P0wny and WSO.
Patchstack, which generally follows WordPress threats, says that a similar campaign was observed in December 2023, the main difference being that the phishing email warned of an nonexistent CVE. Since emails and malware is quite similar, researchers speculate that the two attacks are either the work of the same threat actor, or that the new campaign is the work of a copier,
“They claim that the targeted websites are affected by an” unauthenticized unauthenticized “vulnerability, and they urge you to visit their phishing website, which uses an IDN homograph attack to disguise themselves on the official WooCommerce website,” the researchers said.
If you are running a WordPress with WooCommerce installed, you must scan your site for suspicious plugins and administration accounts, and be sure to update WordPress and the plugins / themes you are running.
Via The Hacker News
