Fake WooCommerce patch scam hits thousands of WordPress sites

The attack leverages a multi-stage infection process, downloading obfuscated payloads from external domains and deploying known web shell tools like P.A.S.-Fork, WSO, and p0wny for persistent access

A sophisticated phishing campaign is targeting WordPress websites running WooCommerce, deploying malware disguised as a critical security update, cybersecurity firm Patchstack has revealed. The attack uses fake email alerts and cleverly spoofed domains to trick users into installing a malicious plugin that gives hackers full access to the affected sites.

The phishing emails claim that the recipient's WooCommerce installation is vulnerable to a fabricated “Unauthenticated Administrative Access” flaw. Users are directed to download a patch from a website that closely resembles the official WooCommerce domain, but actually employs an IDN homograph — replacing the “e” in “woocommerce” with a special character to evade detection.

The downloaded file (authbypass-update-31297-id.zip) contains a plugin that, when installed, performs a series of malicious actions. These include creating a hidden administrator account with randomized credentials, sending site information to remote servers, and retrieving further malware payloads. The plugin also masks its presence by hiding both itself and the unauthorized user account from the WordPress dashboard.

Attack mirrors 2023 campaign tactics

Security researcher Chazz Wolcott noted that the campaign closely mirrors a similar incident from December 2023, raising suspicions that the same threat actor may be behind both waves, or that a new group is copying the earlier tactics.

Once the malware is in place, attackers gain remote access to the site, enabling them to inject spam, display malicious ads, redirect visitors to fraudulent websites, or even lock down server resources for ransom. In more severe cases, compromised servers are added to botnets used for distributed denial-of-service (DDoS) attacks.

The attack leverages a multi-stage infection process, downloading obfuscated payloads from external domains and deploying known web shell tools like P.A.S.-Fork, WSO, and p0wny for persistent access.

Admins urged to stay vigilant

Experts advise website administrators to remain cautious, avoid downloading patches from unfamiliar sources, and routinely scan their sites for unauthorized plugins and suspicious admin accounts. All WooCommerce and WordPress installations should be kept up to date, and multi-factor authentication (MFA) should be enabled wherever possible.

As phishing threats evolve, the latest campaign is a stark reminder of the importance of verifying sources before applying updates, even those disguised as urgent security fixes.