Cybersecurity researchers are raising alarm about a widespread phishing campaign aimed at WooCommerce users. The campaign tricks users into downloading a fake security patch that actually installs a backdoor.
Security firm Patchstack has labeled the campaign as sophisticated, noting its resemblance to a previous attack observed in December 2023. Both campaigns used fake security alerts to breach WordPress sites.
Given the similarities in tactics, it is suspected that the latest campaign is either the work of the same threat actor or a closely related group mimicking the previous one.
“The phishing emails claim that websites are vulnerable to a non-existent ‘Unauthenticated Administrative Access’ issue and direct users to a phishing site disguised as the official WooCommerce website using an IDN homograph attack,” explained security researcher Chazz Wolcott.
Victims are lured to click on a “Download Patch” link, which leads them to a fake WooCommerce Marketplace page on the domain “woocommėrce[.]com.” This page offers a ZIP archive (“authbypass-update-31297-id.zip”) for download.
Upon installation of the fake patch, the attackers gain control over the websites, allowing them to carry out various malicious activities such as injecting spam, redirecting visitors, launching DDoS attacks, and even encrypting server resources for extortion.
Users are advised to check for any suspicious plugins or administrator accounts and keep their software up to date to prevent such attacks.
If you found this article informative, follow us on Twitter and LinkedIn for more exclusive content.
