WooCommerce users are under attack from a new phishing campaign that tricks them into downloading a fake “critical patch,” only to secretly install a dangerous backdoor on their websites.
Cybersecurity experts at Patchstack recently raised the alarm about this sophisticated scheme, which closely mirrors a similar phishing operation spotted in December 2023. Both attacks use identical tactics—from phishing emails to spoofed websites—to lure victims, suggesting the same hackers are behind both, or at least someone copying their playbook.
The scam starts with an alarming email. It warns users about a fake “Unauthenticated Administrative Access” vulnerability in WooCommerce, urging them to visit what looks like an official WooCommerce page. But the trick lies in the tiny details: the phishing site uses an IDN homograph attack, replacing a regular “e” in “woocommerce” with a special character “ė” to fool even careful readers.
Once users click the “Download Patch” button, they’re sent to the fake domain “woocommėrce[.]com,” where a ZIP file named “authbypass-update-31297-id.zip” awaits. Thinking they’re protecting their site, victims install it just like a normal WordPress plugin—unknowingly setting off a chain of serious security breaches.
The malicious plugin first creates a hidden administrator account with a scrambled username and password. It also sets up a cron job to run every minute, quietly sending data back to a command server hosted on “woocommerce-services[.]com/wpapi.” Next, it pulls down an additional payload from servers like “woocommerce-help[.]com/activate” or “woocommerce-api[.]com/activate.”
Hidden within this second payload are powerful web shells such as P.A.S.-Fork, p0wny, and WSO, giving attackers full remote control over the compromised website. Even worse, the malware hides itself by concealing the rogue plugin and the fake admin account from WordPress dashboards, making detection harder.
With control of the site, attackers can inject spammy ads, reroute visitors to scam pages, conscript servers into botnets for massive DDoS attacks, or even lock down site data and demand a ransom.
Security researchers urge WooCommerce users to take immediate action. It’s critical to scan your WordPress sites for any suspicious plugins or unknown admin accounts, remove anything suspicious, and update all software and plugins to the latest versions to stay protected.
