{"id":651459,"date":"2025-01-30T01:25:14","date_gmt":"2025-01-29T22:25:14","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/hackers-are-hijacking-wordpress-sites-to-push-windows-and-mac-malware\/"},"modified":"2025-01-30T01:25:14","modified_gmt":"2025-01-29T22:25:14","slug":"hackers-are-hijacking-wordpress-sites-to-push-windows-and-mac-malware","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/hackers-are-hijacking-wordpress-sites-to-push-windows-and-mac-malware\/","title":{"rendered":"#Hackers are hijacking WordPress sites to push Windows and Mac malware"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a29e92100166\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a29e92100166\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/hackers-are-hijacking-wordpress-sites-to-push-windows-and-mac-malware\/#From_WordPress_to_infostealing_malware\" >From WordPress to infostealing malware<\/a><\/li><\/ul><\/nav><\/div>\n<div>\n<p id=\"speakable-summary\" class=\"wp-block-paragraph\">Hackers are exploiting outdated versions of WordPress and plugins to alter thousands of websites in an attempt to trick visitors to <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a> and install malware, security researchers have found.<\/p>\n<p class=\"wp-block-paragraph\">The hacking campaign is still \u201cvery much live,\u201d Simon Wijckmans, the founder and CEO of web security company c\/side, which discovered the attacks, told TechCrunch on Tuesday.<\/p>\n<p class=\"wp-block-paragraph\">The hackers\u2019 goal is to spread malware capable of stealing passwords and other personal information from both Windows and Mac users. Some of the hacked websites are ranked among the most popular sites on the internet, according to c\/side.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cThis is a widespread and very commercialized attack,\u201d Himanshu Anand, who wrote <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/cside.dev\/blog\/10-000-wordpress-websites-found-delivering-macos-and-microsoft-malware\">up the company\u2019s findings<\/a>, told TechCrunch. Anand said the campaign is a \u201cspray and pay\u201d attack that aims to compromise anyone who visits these websites rather than targeting a specific person or group of people.<\/p>\n<p class=\"wp-block-paragraph\">When the hacked WordPress sites load in a user\u2019s browser, the content quickly changes to display a fake Chrome browser update page, requesting the website visitor download and install an update in order to view the website, the researchers found. If a visitor accepts the update, the hacked website will prompt the visitor to download a specific malicious file masquerading as the update, depending on whether the visitor is on a Windows PC or a Mac.<\/p>\n<p class=\"wp-block-paragraph\">Wijckmans said that they alerted Automattic, the company that develops and distributes WordPress, about the hacking campaign and sent them the list of malicious domains, and that their contact at the company acknowledged receipt of their email.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">When reached by TechCrunch prior to publication, Megan Fox, a spokesperson for Automattic, did not comment.<\/p>\n<p class=\"wp-block-paragraph\">C\/side said it identified over 10,000 websites that appear to have been compromised as part of this hacking campaign. Wijckmans said the company detected malicious scripts on several domains by crawling the internet, and performing a reverse DNS lookup, a technique to find domains and websites associated with a certain IP address, which revealed more domains hosting the malicious scripts.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">TechCrunch could not confirm the accuracy of c\/side\u2019s figures, but we saw one hacked WordPress website that was still displaying the malicious content on Tuesday.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-from-wordpress-to-infostealing-malware\"><span class=\"ez-toc-section\" id=\"From_WordPress_to_infostealing_malware\"><\/span><strong>From WordPress to infostealing malware<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p class=\"wp-block-paragraph\">The two types of malware that are being pushed on the malicious websites are known as Amos (or Amos Atomic Stealer), which targets macOS users; and SocGholish, which targets Windows users.\u00a0\u00a0<\/p>\n<p class=\"wp-block-paragraph\">In May 2023, cybersecurity firm SentinelOne <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.sentinelone.com\/blog\/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram\/?ref=content.cside.dev\">published a report<\/a> on Amos, classifying the malware as an infostealer, a type of malware designed to infect computers and steal as many usernames and passwords, session cookies, crypto wallets, and other sensitive data that allows the hackers to further break into the victim\u2019s accounts and steal their digital currency. <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"http:\/\/cyble.com\/blog\/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram\/?ref=content.cside.dev\">Cybersecurity firm Cyble reported<\/a> at the time that it had found that hackers were selling access to the Amos malware on Telegram.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Patrick Wardle, a macOS security expert and co-founder of Apple-focused cybersecurity startup DoubleYou, told TechCrunch that Amos is \u201cdefinitively the most prolific stealer on macOS,\u201d and was created with the malware-as-a-service business model, meaning the developers and owners of the malware sell it to the hackers who then deploy it.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Wardle also noted that for someone to successfully install on macOS the malicious file found by c\/side \u201cthe user still has to then manually run it, and jump through a lot of hoops to bypass Apple\u2019s built-in security.\u201d\u00a0<\/p>\n<p class=\"wp-block-paragraph\">While this may not be the most advanced hacking campaign, given that the hackers rely on their targets to fall for the fake update page and then install the malware, this is a good reminder to update your Chrome browser <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/support.google.com\/chrome\/answer\/95414?hl=en&amp;co=GENIE.Platform%3DDesktop\">through its in-built software update feature<\/a> and to install only trusted apps on your personal devices.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Password-stealing malware and the theft of credentials have been blamed for some of the biggest hacks and data breaches in history. In 2024, hackers mass-raided the accounts of corporate giants who hosted their sensitive data with cloud computing giant Snowflake by using passwords stolen from the computers of employees of Snowflake\u2019s customers.<\/p>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/category\/technology\/\" target=\"_blank\" >Technology<\/a><\/span> category.<\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techcrunch.com\/2025\/01\/29\/hackers-are-hijacking-wordpress-sites-to-push-windows-and-mac-malware\/\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers are exploiting outdated versions of WordPress and plugins to alter thousands of websites in an attempt to trick visitors to download and install malware, security researchers have found. The hacking campaign is still \u201cvery much live,\u201d Simon Wijckmans, the founder and CEO of web security company c\/side, which discovered the attacks, told TechCrunch on&#8230;<\/p>\n","protected":false},"author":1,"featured_media":651460,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/techcrunch.com\/wp-content\/uploads\/2024\/09\/wordpress-v2.jpg?resize=1200,675","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[75857,76849,5029,152058,88988,70375,154000,72287,72780],"class_list":["post-651459","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-malware","tag-wordpress","tag-apple","tag-automattic","tag-chrome","tag-cybersecurity","tag-macos","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/651459","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=651459"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/651459\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/651460"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=651459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=651459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=651459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}