Beware WooCommerce Users: Sophisticated Fake Patch Phishing Campaign Spreads Site Backdoors

WooCommerce, the widely-used ecommerce plugin for WordPress, is again at the center of a sophisticated phishing campaign targeting its users. Cybersecurity researchers recently uncovered a large-scale attack where fraudulent “critical patch” notifications lure site owners into downloading malicious updates that secretly deploy backdoors on their websites.

Phishing Campaign Overview

Security firm Patchstack identified this campaign as a variant of a similar phishing attack observed last December 2023. The attackers have refined their social engineering tactics, enticing WooCommerce users by falsely claiming their sites suffer from a high-severity vulnerability dubbed “Unauthenticated Administrative Access”—a flaw that does not actually exist.

These deceptive emails urge recipients to visit a phishing website mimicking the official WooCommerce site. The site employs an IDN homograph attack, substituting characters like “e” with “ė” in the domain name (e.g., woocommėrce[.]com), to spoof legitimacy and trick users into downloading fake patches.

How the Attack Works

Victims clicking the “Download Patch” link are redirected to the fake WooCommerce Marketplace page hosting a ZIP archive named authbypass-update-31297-id.zip. When installed like a regular WordPress plugin, this fake patch executes a series of malicious activities:

Creates a new administrator user with an obfuscated name and a randomized password, and schedules a hidden cron job to run every minute.
Sends an HTTP GET request to an external command-and-control server (woocommerce-services[.]com/wpapi), leaking the new admin’s credentials and the site URL.
Retrieves a secondary obfuscated payload from servers such as woocommerce-help[.]com/activate or woocommerce-api[.]com/activate.
Decodes the payload to install multiple web shells including P.A.S.-Fork, p0wny, and WSO, granting attackers persistent remote access.
Conceals itself by hiding the malicious plugin and the unauthorized admin account from the site’s management interfaces.

Potential Consequences of Infection

Once compromised, attackers gain full administrative control over the affected WooCommerce websites. They can leverage this access to:

Inject spam and suspicious advertisements.
Redirect visitors to fraudulent or malicious sites.
Enlist the compromised servers into botnets for launching Distributed Denial of Service (DDoS) attacks.
Encrypt server data to execute ransomware-style extortion.

Protecting Your WooCommerce Site

Small business owners and bloggers, who rely heavily on their WooCommerce-powered sites, should take proactive steps to defend against this threat and other evolving attacks:

Ignore unsolicited patch alerts: Never download or install patches from unexpected emails. Always verify patches via official WooCommerce or WordPress sources.
Check domain authenticity: Be cautious of subtle domain spelling tricks used in phishing.
Scan for malicious plugins and users: Regularly audit plugin directories, especially mu-plugins, and WordPress admin user lists for unfamiliar entries.
Keep your software updated: Regularly update WooCommerce, WordPress core, plugins, and themes to benefit from security patches.
Use security tools: Deploy reputable website security solutions that monitor for malware, unauthorized changes, and suspicious outbound connections.
Enforce strong access controls: Implement strong passwords and multi-factor authentication (MFA) for administrative accounts.
Backup often: Maintain frequent backups and have a clear recovery plan in case of compromise.

To ensure your WooCommerce store remains free of hidden threats, consider engaging with professional cybersecurity services that specialize in WordPress and ecommerce security. Our comprehensive solutions help safeguard your business against phishing, malware, and other cyberattacks. Learn more about our security services here.

Conclusion

This fake patch phishing campaign targeting WooCommerce users underscores the ingenious methods cybercriminals use to compromise websites. Staying vigilant against social engineering and maintaining rigorous security hygiene are crucial for protecting your business online.

Stay informed, protect your WooCommerce site, and don’t fall victim to deceptive fake patches.