WooCommerce phishing campaign uses fake patch to lure victims into installing backdoors
Date:
Mon, 28 Apr 2025 16:00:00 +0000
Description:
Researchers are warning about a large-scale, sophisticated attack targeting WooCommerce users.
FULL STORY ======================================================================Patchsta ck spotted a new phishing campaign targeting WooCommerce users The email
warns the users about a "critical vulnerability" that must be fixed The "fix" is actually malware that creates a rogue admin account and drops stage-two malware
If you are a WooCommerce user, pay attention, since there is a new phishing campaign going around targeting people like yourself.
Recently, security researchers from Patchstack spotted a new phishing attack, which they described as large-scale and sophisticated. In the attack, the crooks would send an email, warning their targets about a critical vulnerability in their websites that needs to be addressed immediately.
The email also comes with a Download Patch link which, instead of the
supposed fix, actually deploys a malicious WordPress plugin. The plugin is hosted on a website mimicking the WooCommerce Marketplace, and can be spotted in the typosquatted URL "woocommrce[.]com" (notice the character).
Get Keeper Personal for just $1.67/month, Keeper Family for just
$3.54/month, and Keeper Business for just $7/month
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts
to protect against cyber threats.
Preferred partner ( What does this mean? ) View Deal Old actors or new copycats?
The plugin first hides itself from the list of installed plugins, and then creates a new admin account. It also hides this account from the victim and relays the credentials to the attackers. Finally, it deploys stage-two
malware , which includes web shells such as P.A.S.-Fork, p0wny, and WSO.
Patchstack, which usually tracks WordPress threats, says that a similar campaign was observed back in December 2023, with the key difference being that the phishing email warned about a non-existent CVE. Since both the
emails and the malware are rather similar, the researchers speculate that
both attacks are either the work of the same threat actor, or that the new campaign is the work of a copycat,
"They claim the targeted websites are impacted by a (non-existent) 'Unauthenticated Administrative Access' vulnerability, and they urge you to visit their phishing website, which uses an IDN homograph attack to disguise itself as the official WooCommerce website," the researchers explained.
If you are running a WordPress website with WooCommerce installed, you should scan your site for suspicious plugins and admin accounts, and make sure to update both WordPress and the plugins/themes you are running.
Via The Hacker News You might also like Malicious Python packages are stealing vital data, and have been downloaded thousands of times already Take a look at our guide to the best authenticator app We've rounded up the best password managers
======================================================================
Link to news story:
https://www.techradar.com/pro/security/woocommerce-phishing-campaign-uses-fake -patch-to-lure-victims-into-installing-backdoors
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)