#1 Middle East & Africa Trusted Cybersecurity News & Magazine |

22 C
Dubai
Monday, February 10, 2025
HomeTopics 1Application SecurityThreat Actors Exploit ClickFix Fake Browser Updates Using Stolen Credentials: How to...

Threat Actors Exploit ClickFix Fake Browser Updates Using Stolen Credentials: How to Protect Your Website

Date:

Related stories

spot_imgspot_imgspot_imgspot_img

In a rapidly evolving cybersecurity landscape, new attack vectors are emerging at an alarming rate. One of the latest trends involves threat actors leveraging stolen credentials to distribute malicious fake browser updates through infected websites. Known as the ClickFix campaign, these attacks have targeted thousands of websites globally, using fake WordPress plugins to inject malicious scripts that lead unsuspecting users to download harmful software. This article delves into the mechanics of this attack, its impact, and how cybersecurity professionals can safeguard against such threats.

The ClickFix Campaign: An Overview
The ClickFix malware campaign first came to light in August 2023, identified by GoDaddy’s security researchers. In a new twist to classic social engineering, attackers use stolen WordPress admin credentials to install fake plugins on compromised websites. These seemingly legitimate plugins are equipped with malicious JavaScript code, which triggers fake browser update prompts on end-users’ screens. Users who fall for the fake updates end up installing malware, ranging from information stealers like Vidar Stealer to remote access trojans (RATs).

A notable aspect of these attacks is the use of blockchain technology and smart contracts. The malicious payloads are distributed via EtherHiding—a method of embedding code within Ethereum transactions, making detection even more difficult. Since its discovery, the ClickFix malware has been detected on over 6,000 sites globally, according to SiteCheck’s remote website scanner, with the numbers rising as the campaign continues.

Fake WordPress plugins 

“The fake plugins use generic names such as “Advanced User Manager” or “Quick Cache Cleaner”. Their directories contain only 3 small files: 

wp-content/plugins/quick-cache-cleaner/ 

-rw-r--r--  1 [redacted] [redacted] 6148 Sep  2 01:15 .DS_Store 
-rw-r--r--  1 [redacted] [redacted]  829 Sep  2 01:15 index.php 
-rw-r--r--  1 [redacted] [redacted] 2255 Sep  2 01:15 qcc-script.js 
wp-content/plugins/advanced-user-manager/ 

-rw-r--r--  1 [redacted] [redacted] 2255 Sep  3 00:57 aum-script.js 
-rw-r--r--  1 [redacted] [redacted]  833 Sep  3 00:57 index.php 
-rw-r--r--  1 [redacted] [redacted] 6148 Sep  3 00:57 .DS_Store  

Researchers quickly noticed the JavaScript file naming pattern consisting of the first letter of each word in the plugin name, appended with “-script.js”. For example, the “Advanced User Manager” plugin contains the aum-script.js file. 

This naming convention allowed our researchers to detect several malicious plugins, including the Easy Themes Manager, Content Blocker, Custom CSS Injector, etc. In some cases, the malicious JavaScript file is simply named script.js

Plugin name Injected script 
Admin Bar Customizer admin-bar-customizer/abc-script.js 
Advanced User Manager advanced-user-manager/aum-script.js 
Advanced Widget Manage advanced-widget-manage/awm-script.js 
Content Blocker content-blocker/cb-script.js 
Custom CSS Injector custom-css-injector/cci-script.js 
Custom Footer Generator custom-footer-generator/cfg-script.js 
Custom Login Styler custom-login-styler/cls-script.js 
Dynamic Sidebar Manager dynamic-sidebar-manager/dsm-script.js 
Easy Themes Manager easy-themes-manager/script.js 
Form Builder Pro form-builder-pro/fbp-script.js 
Quick Cache Cleaner quick-cache-cleaner/qcc-script.js 
Responsive Menu Builder responsive-menu-builder/rmb-script.js 
SEO Optimizer Pro seo-optimizer-pro/sop-script.js 
Simple Post Enhancer simple-post-enhancer/spe-script.js 
Social Media Integrator social-media-integrator/smi-script.js 

Most of these malicious fake plugins have over five hundred detections on PublicWWW at the time of writing. Based on the analysis done by GoDaddy Security, we estimate over 6,000 unique domains worldwide have been impacted by this recent variant.

Plugin code 

The contents of the fake plugins are pretty simple. You can view the entire PHP code (including comments) on one screen. 

Custom CSS generator plugin code

 
All information in the plugin metadata is fake (the Plugin Name, URL, Description, Version, Author, Author URI, etc) but it looks pretty plausible at first glance. ” GoDaddy.

How ClickFix Works
Threat actors initiate their attacks by infiltrating WordPress sites using stolen credentials. Once inside, they install fake plugins with generic names like “Advanced User Manager” or “Quick Cache Cleaner.” These plugins contain minimal code, designed to avoid detection. The main threat, however, lies within JavaScript files like qcc-script.js and aum-script.js, which are embedded in WordPress pages. These scripts display fake browser update prompts to website visitors, often mimicking legitimate updates for popular browsers like Chrome or Firefox.

The malicious JavaScript code is designed to download malware onto the victim’s device. The code interacts with blockchain smart contracts, using them to fetch the payload. Once executed, the malware can allow attackers to gain control over the infected system, steal sensitive information, or even further propagate the attack to other users.

The Scale of the Attack
By June 2024, over 6,000 websites were confirmed to have been compromised by the latest ClickFix variant, according to GoDaddy’s security reports. These compromised websites span multiple industries and countries, affecting unsuspecting visitors who trust the legitimacy of the sites they visit. The fake plugins have also been identified by public databases like PublicWWW, with over 500 detections per plugin, further highlighting the widespread nature of this threat.

In many cases, attackers were found using auto-generated fake plugins that mimicked legitimate ones, such as “LiteSpeed Cache Classic” or “SEO Booster Pro.” These plugins contained a single index.php file designed to inject the ClickFix JavaScript into web pages. Once the malicious script is in place, the malware can continue its work without drawing attention, making it difficult for website owners to detect and remove the threat.

10 Key Strategies to Prevent ClickFix Attacks
With the ClickFix malware spreading rapidly, it’s crucial for website administrators and cybersecurity professionals to take proactive steps to protect their systems. Here are 10 essential strategies to prevent similar threats in the future:

  1. Enable Multi-Factor Authentication (MFA): Protect your WordPress admin accounts with MFA to prevent unauthorized access, even if credentials are stolen.
  2. Regularly Audit Plugins: Regularly check all installed plugins and remove any that are outdated, unused, or from unverified sources.
  3. Use Security Plugins: Install reputable security plugins that can monitor file integrity and detect malicious code injections in real-time.
  4. Enforce Strong Password Policies: Ensure that all admin accounts use strong, unique passwords and enforce regular password changes.
  5. Limit Login Attempts: Configure WordPress to limit login attempts and block IP addresses after multiple failed attempts, reducing the risk of brute force attacks.
  6. Monitor Website Traffic and Logs: Use tools to monitor web traffic and server logs for unusual activity that could indicate a breach.
  7. Update WordPress and Plugins Regularly: Keep your WordPress installation and plugins updated to the latest versions to protect against known vulnerabilities.
  8. Backup Website Data Frequently: Regular backups will ensure that you can quickly restore your website in the event of a compromise.
  9. Use a Web Application Firewall (WAF): A WAF can help block malicious traffic before it reaches your website, acting as a first line of defense.
  10. Conduct Regular Security Audits: Periodically review your website’s security posture with professional audits to identify and fix any weaknesses.

Conclusion
The ClickFix malware campaign is a prime example of how cybercriminals are evolving their tactics, leveraging sophisticated techniques like blockchain to conceal malicious activity. By using fake browser updates as a social engineering tool, attackers can easily trick users into downloading harmful software. For website administrators, the importance of securing credentials, auditing plugins, and implementing multi-layered defenses cannot be overstated. As the cybersecurity landscape continues to shift, staying vigilant and employing best practices is the key to safeguarding against threats like ClickFix.

Source: GoDaddy

Want to stay on top of cybersecurity news? Follow us on Facebook – X (Twitter) – Instagram – LinkedIn – for the latest threats, insights, and updates!

Ouaissou DEMBELE
Ouaissou DEMBELEhttp://cybercory.com
Ouaissou DEMBELE is an accomplished cybersecurity professional and the Editor-In-Chief of cybercory.com. He has over 10 years of experience in the field, with a particular focus on Ethical Hacking, Data Security & GRC. Currently, Ouaissou serves as the Co-founder & Chief Information Security Officer (CISO) at Saintynet, a leading provider of IT solutions and services. In this role, he is responsible for managing the company's cybersecurity strategy, ensuring compliance with relevant regulations, and identifying and mitigating potential threats, as well as helping the company customers for better & long term cybersecurity strategy. Prior to his work at Saintynet, Ouaissou held various positions in the IT industry, including as a consultant. He has also served as a speaker and trainer at industry conferences and events, sharing his expertise and insights with fellow professionals. Ouaissou holds a number of certifications in cybersecurity, including the Cisco Certified Network Professional - Security (CCNP Security) and the Certified Ethical Hacker (CEH), ITIL. With his wealth of experience and knowledge, Ouaissou is a valuable member of the cybercory team and a trusted advisor to clients seeking to enhance their cybersecurity posture.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

spot_imgspot_imgspot_imgspot_img

LEAVE A REPLY

Please enter your comment!
Please enter your name here