More than 6,000 WordPress websites have been hacked to install malicious plugins that push information-stealing malware, according to a new report by GoDaddy and security researcher Denis Sinegubko. The campaign, known as ClearFake and ClickFix, displays fake software updates and error messages to trick users into installing malware.
ClearFake, active since 2023, initially used fake browser update banners to distribute infostealers. In 2024, a new variant called ClickFix emerged, masquerading as software error messages. These messages claim to offer fixes, which are actually PowerShell scripts that download malware onto victims’ devices. The campaign has become more common this year, with threat actors targeting Google Chrome, Facebook, Google Meet, and even captcha pages.
The threat actors behind ClickFix have breached WordPress sites by installing seemingly legitimate plugins with names resembling popular plugins, such as Wordfence Security Classic and LiteSpeed Cache. Once installed, these malicious plugins inject JavaScript into the websites, which then load further malicious scripts from Binance Smart Chain (BSC) smart contracts, displaying fake alerts.
The GoDaddy Security team notes that attackers likely gained access using stolen WordPress admin credentials obtained via brute force attacks, phishing, or previous malware. Once inside, the attackers uploaded and installed the malicious plugins in an automated manner. The malware campaign remains ongoing, with WordPress administrators urged to check installed plugins and change passwords immediately if unknown plugins are found.