The Patchstack security team has identified a large-scale, sophisticated phishing campaign targeting WooCommerce users with fake security alerts.
Designed to closely mimic official WooCommerce communication, this campaign employs deceptive email and phishing techniques, urging recipients to install a fraudulent security “patch” for a fictitious vulnerability.
This marks a shift in tactics from previously reported attacks targeting WordPress users more broadly, now focusing specifically on operators of WooCommerce-powered online stores.
IDN Homograph Domains and Advanced Web Shell Payloads
The phishing emails, crafted to appear as official WooCommerce notifications, claim that the targeted sites are exposed to a critical “Unauthenticated Administrative Access” vulnerability.
Recipients are prompted to act quickly by visiting a malicious website camouflaged to look like the authentic WooCommerce domain via an IDN homograph attack.
The fraudulent domain, “woocommėrce[.]com”, is nearly indistinguishable from the real address due to the use of a lookalike Unicode character, a technique increasingly used to deceive even vigilant users.
Upon visiting this fake site, users encounter a near-perfect replica of the legitimate WooCommerce Marketplace, where they are prompted to download a zip file labeled as a security update.
According to Patchstack Report, this downloadable file, when installed as a WordPress plugin, deploys a range of malicious activities while silently integrating itself into the compromised site.
Notably, the plugin leverages genuine WordPress hooks to mask its presence, echoing techniques seen in the earlier “Fake CVE” phishing campaign.
Malware Installation and Server Compromise
Once activated, the malicious plugin creates a hidden administrator account with randomized credentials and establishes a cron job for persistence.
It communicates with attacker-controlled domains such as “woocommerce-services[.]com” to transmit site details and receives further payload instructions.
On further interaction, the plugin fetches and installs a suite of obfuscated web shells, including P.A.S.-Fork, p0wny, and WSO, into covert directories within the site’s upload folder.
This level of compromise grants attackers wide-ranging capabilities, from injecting unwanted ads and redirecting site visitors to malicious destinations, to exploiting server resources for distributed denial-of-service (DDoS) attacks, or even stealing billing data.
More severe outcomes could involve ransomware attacks, either through data encryption or exfiltration followed by extortion.
Distinctive indicators of compromise include the presence of an unfamiliar administrator account, an unusually named cron job, and the appearance of suspicious new folders in the plugins and uploads directories of the WordPress installation.
Outbound connections to the aforementioned attacker domains are another clear warning sign.
Crucially, the campaign’s success hinges on victims downloading and installing the malicious plugin.
Both WordPress and WooCommerce maintain that they do not distribute security patches through email attachments or manual plugin installations, instead relying on direct updates through the official platform interface.
As security researchers continue to track and publicize this campaign, it is anticipated that the attackers will rotate domains and modify their methods in response to community countermeasures.
WooCommerce administrators are advised to remain vigilant for unsolicited security alerts and verify any update instructions via official channels to avoid falling victim to similar schemes
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
