FlagThis

A large-scale phishing campaign is actively targeting WordPress WooCommerce users, employing deceptive tactics to compromise their websites. Cybercriminals are sending out fake security alerts, urging recipients to download a "critical patch." Unsuspecting users who fall for the scam and download the so-called patch are actually installing a malicious plugin that creates a hidden administrator account and gives attackers backdoor access to their WordPress sites. This campaign highlights the evolving sophistication of cyber threats against e-commerce platforms.

The phishing emails are designed to mimic official WooCommerce communications and often warn of a non-existent "Unauthenticated Administrative Access" vulnerability. To further deceive users, the attackers employ homograph attacks, using domain names that closely resemble the legitimate WooCommerce website but contain subtle character differences such as 'woocommėrce[.]com'. The fake patch, once installed, allows attackers to inject malicious code, redirect site visitors, or even encrypt server resources for extortion.

Cybersecurity researchers advise WooCommerce users to be extremely cautious when receiving security alerts and to verify the authenticity of any patches directly through official WooCommerce channels. Users should also scan their instances for suspicious plugins or administrator accounts and ensure all software is up to date. The ultimate goal of the attackers is to gain remote control over the websites, allowing them to inject spam or sketchy ads, redirect site visitors to fraudulent sites, enlist the breached server into a botnet for carrying out DDoS attacks, and even encrypt the server resources as part of an extortion scheme.

ImgSrc: securityaffairs

References :

• Cyber Security News: The Patchstack security team has identified a large-scale, sophisticated phishing campaign targeting WooCommerce users with fake security alerts.
• gbhackers.com: A concerning large-scale phishing campaign targeting WooCommerce users has been uncovered by the Patchstack securpity team, employing a highly sophisticated email and web-based phishing template to deceive website owners.
• The DefendOps Diaries: Phishing campaign exploits WooCommerce admins with fake security patches and deceptive tactics, highlighting advanced cyber threats.
• The Hacker News: Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a critical patch but deploy a backdoor instead.
• BleepingComputer: WooCommerce admins targeted by fake security patches that hijack sites
• Cybernews: Cybercriminals are targeting WooCommerce users with a large-scale phishing campaign, giving them backdoor access to WordPress websites.
• securityaffairs.com: A large-scale phishing campaign targets WordPress WooCommerce users with a fake security alert urging them to download a ‘critical patch’ hiding a backdoor.
• hackread.com: Sneaky WordPress Malware Disguised as Anti-Malware Plugin
• securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
• www.bleepingcomputer.com: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.

Classification:

• HashTags: #WooCommerce #Phishing #WordPress
• Company: WooCommerce
• Target: WordPress WooCommerce users
• Product: WooCommerce
• Feature: Phishing Attack
• Malware: Backdoor
• Type: Phishing
• Severity: Medium