Ddos 
Image: Patchstack
A new phishing campaign is targeting WooCommerce users with fake security vulnerability alerts, attempting to trick them into installing malicious plugins. The Patchstack team has been monitoring this large-scale operation, noting its similarity to previous phishing attacks.
The attackers employ a sophisticated strategy, sending emails that warn of a nonexistent “Unauthenticated Administrative Access” vulnerability in WooCommerce. These emails urge users to download a “security patch” from a phishing website that closely mimics the official WooCommerce site, using an IDN homograph attack to deceive recipients.
Victims receive a professionally crafted phishing email from help@security-woocommerce[.]com, directing them to a spoofed domain such as woocommėrce[.]com — a clever IDN homograph attack that replaces characters to closely mimic the real domain.
“Once you click on the Download Patch button in the email, you are directed to a fake WooCommerce Marketplace page… Note the ė in this domain.”
The user is prompted to download a ZIP file named authbypass-update-31297-id.zip, install it like a regular plugin, and activate it. What happens next is alarming:
- A cronjob is silently added to run every minute.
- A new administrator account is created with a random username and password.
- These credentials are exfiltrated via a GET request to woocommerce-services[.]com/wpapi.
- A second GET request fetches an obfuscated payload from attacker-controlled domains such as woocommerce-help[.]com.
- Multiple web shells — including variants like P.A.S.-Fork, p0wny, and WSO — are deployed to the victim site.
- The plugin hides itself and the rogue admin account from the WordPress dashboard.
The web shells installed by the malicious plugin grant attackers full control of the compromised server or web hosting account. This access can be exploited for various malicious purposes, including:
- Injecting advertisements
- Redirecting users to malicious sites
- Launching DDoS attacks
- Stealing billing information
- Blackmail or ransomware attacks
The Patchstack report provides indicators to help identify compromised sites:
- A user with a seemingly random, 8-character username
- A cronjob with an unusual name (e.g., “mergeCreator655”)
- A folder named “authbypass-update” in the wp-content/plugins/folder
- A folder named “wp-cached-<8 character code>” in the wp-content/uploads folder
- Outgoing requests to specific domains (e.g., woocommerce-services[.]com)
Website owners must remain vigilant and avoid falling victim to these phishing scams. Always verify the legitimacy of security alerts and never manually install patches or plugins unless obtained directly from the official WordPress or WooCommerce repositories.
Related Posts:
- Hackers are Exploiting Critical Security Vulnerability in WooCommerce Payments Plugin
- WooCommerce Skimmer Employs Stealthy Tactics to Pilfer Card Data
- WordPress disables 10 dangerous plugins by Multidots for WooCommerce
- GitHub Security Alerts has detected over 4 million vulnerabilities
- Attackers Exploit Obscure WordPress Plugin to Steal Credit Card Data
Donate