Fake CVE Phishing Scam Tricks: A New Threat to WordPress Websites

Reliqus Marketing

09 January 2024

Wordpress Websites
By Ankit Bhatia
Founder & CEO

It’s an unsettling scenario for WordPress administrators. A new phishing campaign has been discovered that specifically targets WordPress websites. The phishing email is craftily designed to appear as if it’s from the WordPress team, warning users of a “Remote Code Execution [RCE]” vulnerability identified as CVE-2024-46188 or CVE-2023-45124

The aim? To trick users into infecting their sites with a malicious plugin. This deceptive strategy was uncovered and reported by security experts at Reliqus Consulting.

If you have also received such an email and think your website has been compromised, contact us now for a complete security audit and malware removal.

REQUEST WORDPRESS WEBSITE MALWARE REMOVAL NOW

CVE-2024-46188 phising wordpress scam

CVE-2023-45124 phising wordpress scam

The email urges users to download a supposedly official plugin to fix the CVE vulnerability. However, do not download or install this plugin! 

This plugin is infected with malware, and if installed, will infect your website with a backdoor and create a malicious administrator account. 

As long as you do not download and install the malicious plugin, this campaign won’t affect your site. Remember, WordPress never asks you to install a patch to address a vulnerability. Instead, they would release a new version of WordPress core as a security update.

WordPress also advises:

Alert-WordPress-Security-Team-Impersonation-Scams

Overview of the Phishing Page

Once the victims clicks the “download plugin” button from the phishing email, they are led to a site that is a near-perfect clone of the authentic WordPress.org site. These fraudulent sites, masked under domain names like wordpress[.]secureplatform[.]org and en-gb-wordpress[.]org, are alarmingly realistic. 

Overview of the WordPress Phishing Page

The scammers have gone to great lengths to make the phishing page appear legitimate. They have posted fake reviews on the page, singing praises of the fraudulent plugin. 

 

fake reviews on phising page

But, the deceit doesn’t end there. The fraudsters have targeted prominent figures from the WordPress ecosystem, listing them as authors of the malicious plugin.

This list includes well-known core contributors, Automattic employees, and individuals from leading WordPress agencies like 10up and MindSize. The attackers’ intent is clear: to give their scam an air of legitimacy and trick unsuspecting WordPress administrators. 

fake phising page scam

Technical Breakdown of the CVE Phishing Campaign Malware

Upon receiving the phishing email, users are prompted to download a plugin with a filename such as CVE-2024-46188.zip or CVE-2023-45124.zip. This filename varies based on the domain used for the fake CVE phishing campaign, and multiple file names may exist. 

Once the plugin is installed and activated, a message displays stating, “CVE-2023-45124 has been patched successfully”. The hackers encourage sharing the fraudulent patch, aiming to infect as many WordPress websites as possible. 

CVE phishing campaign malware

What actually happens is the following:

  1. Upon installing the fraudulent plugin, the phishing campaign malware initiates its attack by generating a random password for a new username, ‘wpsecuritypatch’, with administrator privileges.
  2. A HTTP GET request is sent to their server, specifically targeting wpgate[.]zip/wpapi. This request includes a ‘siteurl’ query parameter loaded with base64 encoded data, representing the URL of the victimized WordPress site and the new administrator account’s password.
  3. Next, a HTTP GET request is sent to wpgate[.]zip/runscan. This returns additional base64 encoded data, which is then decoded and stored in a wp-autoload.php file in the WordPress site’s root folder. 
  4. Astoundingly, the malicious plugin cleverly hides itself from the plugin list, along with the rogue admin account. 

Take a peek at the screenshot below to see a fragment of the malicious plugin’s code. “Ironically, the comments written by the malicious user directly tell you what the malicious code under it is doing” – source unknown. This is just a glimpse of the intricacy of the WordPress phishing scam operation.

screenshot code of this malicious plugin

The presence of the wp-autoload.php is a potent backdoor, capable of injecting advertisements, redirecting users, launching DDoS attacks, swiping billing information, and even blackmail. 

User Experiences and Threat Messages

In our investigation, we came across several instances where WordPress users received threatening messages attempting to lure them into the phishing scam. 

Below are some screenshots and excerpts:

User Experiences and Threat Messages 1User Experiences and Threat Messages 2User Experiences and Threat Messages 3

Notably, these phishing emails weren’t limited to a handful of users. Quite alarmingly, a large number of WordPress users reported receiving such emails.

Indicators of Compromise [IOCs]:

If your WordPress site has fallen prey to this CVE phishing scam, there are a few clear signs to look out for. 

  • A hidden user with the username wpsecuritypatch may have been created. 
  • You might find a suspicious file called wp-autoload.php in your WordPress root folder with a SHA-256 hash of ffd5b0344123a984d27c4aa624215fa6452c3849522803b2bc3a6ee0bcb23809.
  • A new folder, either named wpress-security-wordpress, CVE-2024-46188 or cve-2023-45124 exists in your /wp-content/plugins/ folder. 
  • Additionally, check for outgoing requests to wpgate[.]zip
  • Watch out for malicious domains like en-gb-wordpress[.]org or -defcve[.]com, or emails from no-reply[@]mailing-wordpress.com
  • Be cautious of URLs like: 

– https: //us.en-wordpress[.]org/plugins/cve-2024-46188/

– https: //defcve[.]com/runsccan

– https: //defcve[.]com/wpapi?siteurl=

Please note that these variables might change in the future as attackers adapt their tactics.

Protecting Yourself and Your WordPress Site from the Scam

Safeguarding your WordPress site from this scam involves vigilance and proactive measures.

  • Always verify the authenticity of such emails; remember that WordPress usually communicates through your site’s dashboard, not via email.  

If you ever encounter suspicious activity, knowing how to handle it is essential. Check out our guide on How To Remove Malware From Your WordPress Site? for step-by-step instructions on dealing with potential security threats.

  • Avoid clicking on unknown links or installing unexpected software. Remember, haste makes waste. A cybersecurity threat may prompt you to act quickly, but it’s more important to act wisely. 
  • Moreover, regular updates to your WordPress site and plugins are crucial. Always ensure you’re downloading updates from official sources. Consider using security plugins for an added layer of protection. 

Adopting these measures will protect your site against the fake CVE phishing scam and a whole host of threats targeting WordPress websites. 

What to do if your WordPress Website has been Infected with Malware?

If you fear your WordPress site has fallen victim to the CVE phishing scam, act swiftly! Start by changing all passwords and reviewing user roles, specifically any suspicious ones like wpsecuritypatch

Next, conduct a thorough scan for unauthorized plugins or users. Your site’s safety is paramount, so don’t hesitate to reach out to the expert WordPress security team at Reliqus Consulting for help. We specialize in WordPress malware removal services and can swiftly address your website’s security concerns.

Whether you’re dealing with the aftermath of this scam or have general security concerns, our team is equipped to handle it all. With our extensive experience in addressing complex cybersecurity challenges, you’re in safe hands.

Remember, it’s crucial to remain vigilant. We’re just a call away if you have questions or need assistance battling the CVE phishing campaign. For those who have already fallen for the scam, don’t despair. We’re here to help you navigate this issue and restore your website’s security. 

Let’s tackle these cybersecurity challenges together and continue making the web safer.

REQUEST WORDPRESS WEBSITE MALWARE REMOVAL NOW

Ankit Bhatia

Founder & CEO at Reliqus

With 12+ years of experience building a web presence for 300+ businesses, Ankit understands how businesses can use technology to increase revenue.

Latest from the blog

What is HTTP 428 Status Code (Precondition Required)?

For many website owners and developers, the HTTP 428 Status Code can be a source of frustration. Its implications are often misunderstood, leadin...

What is HTTP 426 Status Code (Upgrade Required)?

Have you ever encountered an HTTP 426 Status Code while browsing the web and wondered what it means? Don’t worry, you’re not alone. T...

What is HTTP 425 Status Code (Too Early)?

Are you familiar with the various HTTP status codes that pop up on your screen while browsing the web? You’ve likely encountered common one...

What is HTTP 424 Status Code (Failed Dependency)?

If you have ever encountered an HTTP 424 Status Code Error while browsing the web, you may have been left scratching your head and wondering what...