Hackers are exploiting outdated versions of WordPress and plug-ins to alter thousands of websites in an attempt to trick visitors to download and install malware, security researchers have found.
The hacking campaign is still “very much live,” Simon Wijckmans, the founder and CEO of web security company c/side, which discovered the attacks.
The hackers’ goal is to spread malware capable of stealing passwords and other personal information from both Windows and Mac users. Some of the hacked websites are ranked among the most popular sites on the internet, according to c/side.
“This is a widespread and very commercialized attack,” said Himanshu Anand, who wrote up the company’s findings. Anand said the campaign is a “spray and pray” attack that aims to compromise anyone who visits these websites rather than targeting a specific person or group of people.
When the hacked WordPress sites load in a user’s browser, the content quickly changes to display a fake Chrome browser update page, requesting the website visitor download and install an update in order to view the website, the researchers found. If a visitor accepts the update, the hacked website will prompt the visitor to download a specific malicious file masquerading as the update, depending on whether the visitor is on a Windows PC or a Mac.
Wijckmans said that they alerted Automattic, the company that develops and distributes WordPress.com, about the hacking campaign and sent them the list of malicious domains, and that their contact at the company acknowledged receipt of their email.
When reached prior to publication, Megan Fox, a spokesperson for Automattic, did not comment by press time. After publication, Automattic said that security of third-party plugins are ultimately the responsibility of WordPress plugin developers.