BleepingComputer reports that more than 6,000 WordPress sites have been compromised with malicious plugins displaying fraudulent browser updates that download information-stealing malware as part of a new ClickFix attack campaign that commenced in June.
Intrusions commence with the exploitation of breached admin credentials to infiltrate the targeted WordPress site and enable automated installation of the plugins, which include LiteSpeed Cache Classic, Wordfence Security Classic, Google SEO Enhancer, Content Blocker, and Quick Cache Cleaner, among others, according to a report from GoDaddy. Installation of the malicious plugins would prompt connections with several WordPress actions to facilitate malicious JavaScript injection into the site's HTML that would retrieve a Binance Smart Chain contract-stored JavaScript file, which displays the phony software update banners. Organizations with WordPress sites that have been receiving reports of fake site alerts have been urged to review their installed plugins. Immediate password resets have also been recommended for admin users who discover unknown plugins.
