Hackers Try to Convince WooCommerce Customers to Install a Malicious Patch for a Non-Existent Vulnerability, via a Targeted and Realistic-Looking Campaign
WooCommerce customers should beware of malicious emails claiming a security issue. Hackers are sending emails supposedly on behalf of WooCommerce itself, warning of an Unauthenticated Administrative Access vulnerability. This vulnerability does not exist, but ironically describes exactly what the attackers themselves want to achieve.
Realistic Page
The email contains a link to a very realistic-looking page that resembles the official WooCommerce website. The domain woocommérce[.]com has one accent too many, but is otherwise well disguised. The site contains a description of the vulnerability and a link to a supposed patch.
Through this link, users arrive at another seemingly safe but fake page where they download a plugin under the guise of a patch. The false patch requests various permissions, which administrators will grant, thinking they are dealing with an official download.
Complete Access
After installation, attackers have access to the victim’s website via the malicious plugin. The criminals can inject spam, display their own advertisements, or even redirect users to other websites. The server hosting the site can also be misused in a botnet, or encrypted.
With their campaign, the attackers cleverly exploit users’ justified fear of security vulnerabilities. The urgency they create with the fabricated vulnerability can prompt administrators to react too quickly and overlook details that reveal the deception. As always, vigilance is key, as is keeping systems up to date, but exclusively with real patches.