Malware, Threat Intelligence

Widespread WordPress site hack fuels infostealer operation

Over 250 WordPress sites around the world, including those of small businesses, regional media organizations, and a U.S. Senate candidate, have been covertly breached to facilitate sweeping deployment of information-stealing malware as part of a ClickFix attack campaign that has been underway since December, The Register reports.

Illicit code injected into the compromised websites triggered a seemingly legitimate Cloudflare CAPTCHA page that tricks site visitors into copying and executing a malicious command that leads to infostealer delivery, according to a Rapid7 analysis. Such a payload then enables the exfiltration of browser-stored credentials, cryptocurrency wallet details, authentication cookies, and other sensitive information, with threat actors potentially peddling infostealer logs on cybercrime forums. Additional findings revealed that domains tapped in the campaign have been registered between July and August.

"The large-scale execution of the compromise across completely unrelated WordPress instances suggests a high level of automation by the threat actor and is likely part of an organized long-term criminal effort," said researcher Milan Spinka.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds