Hackers Are Using a Fake WooCommerce Patch to Break Into Websites

There’s a new phishing scam in the market which is targeting WooCommerce users. It’s tricking users into installing a fake security patch that plants backdoors on their websites. According to a recent report by Patchstack, several WooCommerce sites receive this fake security patch via email. So, let’s take a closer look at this phishing scam: 

The first step in the attack is when a user receives an email about a fake vulnerability called “Unauthenticated Administrative Access” affecting their WooCommerce installation. The email comes from an address (help@security-woocommerce[.]com), which urges users to download a patch from a phishing site that is designed to look like the official WooCommerce Marketplace. Here, the attackers are using a homograph attack, swapping a regular letter for a lookalike special character in the domain name (woocommėrce[.]com) to fool victims. 

Unfortunately, if a user falls for this trick and installs the offered zip file (authbypass-update-31297-id.zip), their website is quietly infected. Once activated, the malicious plugin creates a secret administrator account, sends the site’s details to an attacker-controlled server, and downloads additional hidden web shells. It also allows the attackers to fully control the infected website.

Patchstack’s analysis shows that after infection, attackers can inject ads, redirect visitors, steal billing information, or even launch ransomware attacks by taking control of the website’s database. The attackers also hide their tracks by masking the malicious plugin and the new admin account from the site’s dashboard. 

The warning signs of an infected website include: 

• A new admin user with a random 8-character name
• Strange cronjobs created in the site’s WP Cron
• A suspicious folder named authbypass-update in the plugins directory
• Outgoing traffic to suspicious domains like woocommerce-services[.]com or woocommerce-api[.]com

However, the good part is that this scam cannot harm users unless they manually download and install the malicious plugin. That’s why it’s important to keep in mind that platforms like WordPress and WooCommerce never ask users to manually apply patches through emails. Usually, all updates are delivered through official update channels on the platform’s dashboard.  

Though impersonation is not a new trick, attackers have been using it for a long time. That’s why you should always be careful when clicking on links. Check the domain name, font, theme, and other small details closely. Attackers often miss little things that real companies usually get right. For example, a recent malware pretended to be a file converter, but it actually tricked users into installing a dangerous information-stealing tool called ArechClient2.