Skip to main content

Hackers Hit WooCommerce Users with Fake Security Updates

A widespread phishing campaign has been targeting WooCommerce administrators globally since April 2025. The operation deceives site owners into installing fraudulent security patches that give attackers full control over their WordPress sites.

Researchers at Patchstack uncovered this operation, which mimics the widely used WooCommerce plugin through emails sent from help@security-woocommerce[.]com. The phishing emails alert recipients to a fictitious vulnerability related to unauthenticated administrative access and pressure them to install a "critical patch" by clicking an embedded button. Victims are then redirected to a counterfeit domain, woocommėrce[.]com, which uses a subtle character swap to appear authentic.

Once the user downloads the file — authbypass-update-31297-id.zip — it installs a malicious plugin that creates a hidden administrator account and connects the compromised site to a remote command server. A cronjob runs every minute to maintain access and download additional payloads, including popular PHP-based web shells like P.A.S.-Form, p0wny, and WSO. These tools enable attackers to inject ads, steal payment data, redirect visitors, launch DDoS attacks, or even deploy ransomware.

To avoid detection, the plugin removes itself from the visible plugin list and conceals the unauthorized admin account it created. It also installs backdoors in the wp-content/uploads/ directory of the infected site, providing attackers with ongoing access even after attempts to clean or restore the system.

According to Patchstack, this campaign bears striking similarities to an earlier operation from late 2023 that also used fake security notifications to compromise WordPress sites. Both campaigns relied on identical types of web shells, techniques for hiding malicious code, and nearly indistinguishable phishing language — suggesting the involvement of either the same threat actor or closely affiliated groups.

The report also urges WooCommerce site owners to examine all administrator accounts for unusual 8-character names, audit scheduled tasks like cronjobs for unfamiliar entries, and monitor outgoing traffic to suspicious domains, including woocommerce-services[.]com and woocommerce-help[.]com. Infected systems may also contain folders named authbypass-update, which should be thoroughly investigated and removed.

Another similar attack occurred just a few months earlier, in July 2023, when WordPress sites — particularly those using WooCommerce — were targeted through a critical vulnerability in the WooCommerce Payments plugin. That campaign also relied on phishing tactics to compromise administrative access, reinforcing the pattern of attackers refining and reusing successful social engineering strategies over time.

Researchers warn that once threat actors are exposed, they tend to adjust their methods to avoid detection. As a result, relying solely on previously known indicators may no longer be sufficient. A comprehensive manual audit of WordPress installations, combined with timely patching using verified updates from official sources, remains essential to securing vulnerable sites.



See TessMore Internet Business Must-Reads
Labels:

Comments

Post a Comment

Popular posts from this blog

Only 1 in 10 NFT Owners Have Never Experienced a Scam

A new survey from PrivacyHQ reveals 90% or nine out of 10 respondents experienced an NFT scam. This level of uncertainty is cause for concern for a relatively new marketplace that is generating billions of dollars. Only 1 in 10 NFT Owners Have Never Experienced a Scam The PrivacyHQ survey spoke to 1,008 people in the U.S. who are actively investing in and own NFTs. And according to the report, there are some horror stories and great lessons to be learned. The key takeaways from the survey are: Less than half of NFT owners feel their NFTs are secure Two out of 3 respondents said they had panic-sold NFTs in the past Nine out of 10 respondents had experienced an NFT scam Half of the respondents had lost access to their NFTs at some point When it comes to NFT scams there were multiple ways in which buyers were scammed. Topping the list of the most common scams experienced by these respondents starts out with the NFT provider shutting down or changing their URL at 44.8%. Next is...
Post a Comment
Read more

8 Business Credit Cards Without Personal Guarantee Required

You can get a credit card for your business that doesn’t require a personal guarantee. You’ll need to provide your personal credit score as part of the business credit card application. Credit card issuers for the no personal guarantee requirement type of card can only go after your business if you default. As a small business owner, you won’t be on the hook to pay your business debt with your personal assets. What are business credit cards , and who needs these cards? you might also be asking yourself why should I get a business credit card . If your business has an owner or partner who needs to minimize personal liability, these cards afford financial protection. What are Business Credit Cards With No Personal Guarantees? These types of cards are often called a Corporate Credit Card. That’s because the card is used to pay for expenses of the business, and the business assets (revenue, assets) pay for the credit card debt. A corporate card will have no annual fee. It’s not easy ...
Post a Comment
Read more

openSNP Shutters Over Privacy and Authoritarianism Concerns

OpenSNP, a long-running open-source genetic data platform, is shutting down after citing growing concerns over data privacy, the misuse of genetic information by law enforcement, and the rise of authoritarian governments. The decision comes as 23andMe, a major source of user-submitted genetic data for openSNP, faces bankruptcy and a potential selloff of user data . Founded in 2011, openSNP allowed users to upload genetic data from services like 23andMe to make it freely available for scientific research. Co-founder Bastian Greshake Tzovaras said the closure was triggered in part by the collapse of 23andMe and the broader political climate. Speaking to TechCrunch, he stated : “The risk/benefit calculus of providing free and open access to individual genetic data in 2025 is very different compared to 14 years ago.” The database has collected roughly 7,500 genomes and supported academic work across biomedical research, information security, and more. But its founder now questions the ...
Post a Comment
Read more