Article Details
Scrape Timestamp (UTC): 2025-04-28 08:08:53.338
Source: https://thehackernews.com/2025/04/woocommerce-users-targeted-by-fake.html
Original Article Text
Click to Toggle View
WooCommerce Users Targeted by Fake Patch Phishing Campaign Deploying Site Backdoors. Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a "critical patch" but deploy a backdoor instead. WordPress security company Patchstack described the activity as sophisticated and a variant of another campaign observed in December 2023 that employed a fake CVE ploy to breach sites running the popular content management system (CMS). Given the similarities in the phishing email lures, the bogus web pages, and the identical methods employed to conceal the malware, it's believed the latest attack wave is either the work of the same threat actor or it's a new cluster closely mimicking the earlier one. "They claim the targeted websites are impacted by a (non-existent) 'Unauthenticated Administrative Access' vulnerability, and they urge you to visit their phishing website, which uses an IDN homograph attack to disguise itself as the official WooCommerce website," security researcher Chazz Wolcott said. Recipients of the phishing email are urged to click on a "Download Patch" link in order to download and install the supposed security fix. However, doing so redirects them to a spoofed WooCommerce Marketplace page hosted on the domain "woocommėrce[.]com" (note the use of "ė" in place of "e") from where a ZIP archive ("authbypass-update-31297-id.zip") can be downloaded. Victims are then prompted to install the patch as they would install any regular WordPress plugin, effectively unleashing the following series of malicious actions - A net result of the campaign is that it allows the attackers remote control over the websites, allowing them to inject spam or sketchy ads, redirect site visitors to fraudulent sites, enlist the breached server into a botnet for carrying out DDoS attacks, and even encrypt the server resources as part of an extortion scheme. Users are advised to scan their instances for suspicious plugins or administrator accounts, and ensure that the software is up-to-date.
Daily Brief Summary
A large-scale phishing campaign has been directed at users of WooCommerce, exploiting fears about security vulnerabilities.
Cybersecurity firm Patchstack reported the phishing emails prompt users to download what is claimed to be a critical security patch from a disguised phishing site.
The fake site uses an IDN homograph attack to mimic the legitimate WooCommerce website, deceiving recipients into believing it is authentic.
Downloading and installing the fake patch results in the installation of a backdoor allowing attackers remote control over affected websites.
The cybercriminals behind this scheme are possibly the same group or a new cluster replicating a similar phishing tactic observed in a previous campaign in December 2023.
Consequences of the attack include potential server encrypting for extortion, addition of systems to botnets for DDoS attacks, and redirection of site visitors to malicious sites.
Users are advised to conduct thorough scans for any unusual plugins or admin accounts and to keep their software rigorously updated to prevent such breaches.