GoDaddy Security researchers identified an alarming trend in the growing use of fake WordPress plugins to spread malware to unsuspecting website visitors. These plugins, while appearing legitimate to website administrators, secretly inject malicious code designed to trick users into downloading harmful software. This new attack vector highlights how cybercriminals are evolving their tactics, using swarms of fake plugins to infect thousands of websites worldwide.

The Threat: Fake WordPress Plugins Delivering Malware

The new malware variant, known as ClickFix (or ClearFake), is at the heart of this campaign. Disguised as legitimate WordPress plugins, these fake tools are being used to inject JavaScript into websites. The malware then presents fake browser update prompts to visitors, deceiving them into installing dangerous software like remote access trojans (RATs) and info stealers.

The key innovation in this malware chain is its use of blockchain technology and smart contracts to deliver malicious payloads, a technique dubbed “EtherHiding.” This allows threat actors to obfuscate the origin of the malware, making it harder to track and shut down.

How the Attack Works

The attack chain begins with stolen WordPress admin credentials. Hackers log into compromised websites and install the fake plugins. Once installed, these plugins inject malicious JavaScript that triggers when a visitor accesses the website. This script then delivers a fake browser update notification, using social engineering tactics to convince users to install malware. If successful, the malware compromises the visitor’s system, often leading to data theft or remote access control.

Notably, this attack does not exploit any known vulnerabilities within the WordPress ecosystem itself. Instead, it relies on stolen admin credentials to infiltrate sites, making it essential for website owners to ensure their login details are secure.

The Scope of the Campaign

First observed by GoDaddy researchers in August 2023, the ClickFix malware has already infected more than 25,000 websites worldwide. A more recent variant, tracked since June 2024, has impacted an additional 6,000 websites. These compromised sites unknowingly deliver malware to their visitors, with the infection spreading further as users are tricked into installing malicious software.

What Makes This Attack Dangerous?

The combination of fake plugins, social engineering, and blockchain technology makes this attack particularly insidious. Unlike traditional malware campaigns, which often rely on vulnerabilities in software, this technique exploits website admin credentials to infiltrate a website and distribute malware through fake updates. The use of blockchain and smart contracts further complicates detection, as these technologies are typically associated with legitimate decentralized applications, not malware distribution.

How to Protect Your Website

To prevent falling victim to this kind of attack, website administrators and WordPress users should take the following precautions:

1. Strengthen Login Security: Ensure admin credentials are strong and unique. Implement multi-factor authentication (MFA) to add an extra layer of protection.
2. Regularly Audit Plugins: Only use trusted plugins from verified sources, and regularly audit the plugins installed on your website. If a plugin seems unfamiliar or unnecessary, remove it immediately.
3. Monitor Website Activity: Use tools or remote scanners to detect suspicious activity or unauthorized changes to your website.
4. Keep Software Updated: Ensure that all WordPress installations, themes, and legitimate plugins are up to date, as this reduces the risk of vulnerabilities that attackers could exploit.
5. Educate Your Users: Visitors to your website should be aware of the dangers of fake browser update prompts. Encourage them to avoid clicking on unfamiliar pop-ups and keep their software updated only from trusted sources.

Conclusion

As cybercriminals continue to innovate, the rise of fake WordPress plugins used to spread malware poses a serious threat to website owners and visitors alike. The recent surge in the ClickFix malware campaign underscores the need for website administrators to remain vigilant. By strengthening login security, auditing installed plugins, and employing effective malware detection tools, businesses can better defend against these evolving threats.

With the rise of sophisticated attack techniques like EtherHiding, it is crucial for both website owners and visitors to stay informed and protected in this increasingly hostile digital landscape.