Summary: A phishing campaign targeting WooCommerce users has emerged, where fraudulent emails prompt recipients to download a malicious “security patch” that installs a backdoor on their WordPress site. As a result, affected users inadvertently create hidden admin accounts and enable hackers to maintain persistent access to their websites. This operation is a continuation of previous similar attacks and employs advanced deception techniques to lure users into compromising their security.
Affected: WooCommerce users and WordPress websites
Keypoints :
- Phishing emails impersonate WooCommerce, requesting users to download a fake security patch.
- The malicious payload creates hidden admin accounts and installs PHP-based web shells to control compromised sites.
- Indicators of compromise include unusual cron jobs and random admin account names; users are advised to take precautionary measures.