WooCommerce admins targeted by fake security patches that hijack sites

A large-scale phishing campaign targets WooCommerce users with a fake security alert urging them to download a "critical patch" that adds a Wordpress backdoor to the site. Recipients that take the bait and download the update are actually installing a malicious plugin that creates a hidden admin account on their website, downloads web shell payloads, and maintains persistent access. The campaign, which was discovered by Patchstack researchers, appears to be a continuation of a similar operation in late 2023 that targeted WordPress users with a fake patch for a made-up vulnerability. Patchstack says both campaigns used an unusual set of web shells, identical payload hiding methods, and similar email content. Fake security alert The emails targeting WordPress admins spoof the popular WooCommerce e-commerce plugin, using the address 'help@security-woocommerce[.]com.' Recipients are informed that their websites were targeted by hackers attempting to exploit an 'unauthenticated admini ... Read full article.