Hackers Exploit Outdated WordPress and Plugins to Steal Personal Information

Hackers are taking advantage of outdated versions of WordPress and plugins to compromise thousands of websites, with the goal of tricking visitors into downloading and installing malware that can steal passwords and other personal information from both Windows and Mac users.

The hacking campaign is still active, according to Simon Wijckmans, the founder and CEO of web security company c/side, which discovered the attacks. Wijckmans told TechCrunch on Tuesday that the hackers’ goal is to spread malware capable of stealing sensitive data from both Windows and Mac users.

The hackers’ strategy is a “spray and pay” attack, aiming to compromise anyone who visits the compromised websites rather than targeting a specific person or group of people. When a user visits a hacked WordPress site, the content quickly changes to display a fake Chrome browser update page, requesting the user to download and install an update to view the website.

If a user accepts the update, the hacked website will prompt the user to download a specific malicious file masquerading as the update, depending on whether the user is on a Windows PC or a Mac. The malicious file is designed to steal sensitive data, including usernames, passwords, session cookies, and crypto wallets.

C/side identified over 10,000 websites that appear to have been compromised as part of this hacking campaign. The company detected malicious scripts on several domains by crawling the internet and performing a reverse DNS lookup, a technique to find domains and websites associated with a certain IP address.

TechCrunch was unable to confirm the accuracy of c/side’s figures, but one hacked WordPress website was still displaying the malicious content on Tuesday. The two types of malware being pushed on the malicious websites are Amos (or Amos Atomic Stealer), which targets macOS users, and SocGholish, which targets Windows users.

The Malware Behind the Attack

Amos, also known as Amos Atomic Stealer, is a type of malware designed to infect computers and steal sensitive data, including usernames, passwords, session cookies, crypto wallets, and other digital currency. It was first discovered in May 2023 by cybersecurity firm SentinelOne, which classified it as an infostealer.

Cybersecurity firm Cyble reported that hackers were selling access to the Amos malware on Telegram. Patrick Wardle, a macOS security expert and co-founder of Apple-focused cybersecurity startup DoubleYou, told TechCrunch that Amos is “definitively the most prolific stealer on macOS” and was created with the malware-as-a-service business model.

Wardle noted that for someone to successfully install the malicious file on macOS, the user still has to manually run it and bypass Apple’s built-in security. This highlights the importance of keeping software up to date and installing only trusted apps on personal devices.

Password-stealing malware and the theft of credentials have been blamed for some of the biggest hacks and data breaches in history. In 2024, hackers mass-raided the accounts of corporate giants who hosted their sensitive data with cloud computing giant Snowflake by using passwords stolen from the computers of employees of Snowflake’s customers.

The attack serves as a reminder to update software and apps regularly and to be cautious when downloading and installing new content. By taking these precautions, individuals can reduce their risk of falling victim to this type of hacking campaign.