ClickFix fake browser updates are being distributed by bogus WordPress plugins. Learn about the common indicators of compromise.

GoDaddy's resource offers insights, tutorials, and resources for website owners, entrepreneurs, and small businesses. Readers can learn about website building, online marketing, and e-commerce strategies. With articles, guides, and business tools, GoDaddy helps individuals and businesses establish and grow their online presence.

GoDaddy Engineering

GoDaddy Security Researchers have identified a surge in malware distribution through fake WordPress plugins. These plugins appear legitimate but inject JavaScript for fake browser update prompts, leveraging social engineering to compromise users. Threat actors use stolen admin credentials to install these plugins on websites, rather than exploiting WordPress vulnerabilities. The malware employs blockchain technology and smart contracts to deliver payloads. Over 25,000 sites have been detected with this variant since August 2023, with over 6,000 affected since June 2024. The threat continues to evolve, using multiple vectors and automated processes to evade detection.

Threat Actors Push ClickFix Fake Browser Updates Using Stolen Credentials

Previous iteration of fake ClickFix plugins - June 2024

Stolen credentials distribute fake browser updates