Cybercriminals are taking advantage of outdated WordPress versions and vulnerable plugins to compromise thousands of websites, tricking visitors into downloading and installing malicious software, according to security researchers.
The attack campaign is still active, warns Simon Wijckmans, founder and CEO of web security firm c/side, which discovered the breach. The goal of these hackers is to distribute malware capable of stealing passwords and personal data from both Windows and Mac users. Some of the affected websites rank among the most visited on the internet, increasing the scale of the threat.
“This is a widespread and highly commercialised attack,” explains Himanshu Anand, a researcher at c/side. Unlike targeted cyberattacks, this campaign uses a “spray and pray” approach, aiming to infect as many users as possible rather than focusing on a specific target.
How the Attack Works
When a compromised WordPress website loads, it rapidly redirects to a fraudulent page imitating a Chrome browser update. The unsuspecting visitor is prompted to download and install an update to continue viewing the site. However, this so-called update is actually a piece of malware—specifically tailored for the visitor’s operating system. If the visitor is using Windows, they receive one type of malware, while Mac users get another.
Wijckmans states that they reported the issue to Automattic, the company behind WordPress.com, providing details of the malicious domains. While Automattic acknowledged receipt of the report, they later clarified that plugin security is ultimately the responsibility of third-party developers.
“There are specific guidelines plugin authors must follow to maintain the quality and security of their plugins. Additionally, they have access to a Plugin Handbook covering best practices and security management,” a spokesperson for Automattic explained.
Over 10,000 Websites Affected
C/side’s analysis indicates that over 10,000 websites have been compromised in this campaign. By crawling the internet and conducting reverse DNS lookups, researchers identified multiple domains hosting the malicious scripts. While TechCrunch was unable to independently verify these numbers, it did observe an infected WordPress site still displaying the fraudulent content.
Malware Types Used
The two primary malware strains being distributed are Amos (also known as Amos Atomic Stealer), which targets macOS users, and SocGholish, which infects Windows machines.
Amos is classified as an infostealer, designed to harvest usernames, passwords, session cookies, cryptocurrency wallets, and other sensitive data. Cybersecurity firm SentinelOne previously reported that hackers were selling access to this malware on Telegram.
Patrick Wardle, a macOS security expert and co-founder of Apple-focused cybersecurity startup DoubleYou, describes Amos as “the most prolific stealer on macOS.” He notes that while Apple’s built-in security measures make installation difficult, users who manually bypass these protections are at risk.
How to Stay Protected
While this attack does not exploit advanced hacking techniques, it relies on tricking users into installing malicious software. To protect yourself:
- Only update Chrome via its built-in update feature. Avoid downloading updates from unfamiliar websites.
- Install apps only from trusted sources.
- Ensure your website and its plugins are always up to date.
- Use reliable security plugins and malware scanners.
Keep Your WordPress Site Secure with Blink Web
At Blink Web, we offer WordPress maintenance packages designed to protect your website from vulnerabilities and hacking attempts. Our services include:
- Regular updates for WordPress core, themes, and plugins to minimise security risks.
- Security monitoring and malware scanning to detect and remove threats.
- Automated backups so your data is always safe.
- Firewall protection to block suspicious activity.
Don’t let your website become a target. Contact Blink Web today to learn how our WordPress security solutions can keep your business safe online.
