Cybercriminals are once again setting their sights on small businesses — this time targeting WooCommerce users with a dangerous new phishing campaign.
Patchstack researchers recently uncovered a large-scale operation where WordPress site admins received fake security alerts, urging them to download a “critical patch” for their WooCommerce platform. But instead of protecting their site, users who downloaded the patch unknowingly installed a backdoor that gave attackers full control.
Here’s a closer look at what’s happening — and what you need to watch out for.
How the Attack Works
The phishing emails appear to come from WooCommerce support (specifically help@security-woocommerce[.]com) and warn that hackers are actively trying to exploit a vulnerability called “unauthenticated administrative access.”
Source: Patchstack
To “protect” their websites, users are directed to download a patch via an embedded button. The emails use urgent language, stating things like:
“We strongly advise you to take urgent measures to secure your store and protect your data.”
Clicking the button leads victims to a convincing fake website using a subtle homograph attack — woocommėrce[.]com (notice the special character “ė” instead of a normal “e”).
When users install the provided file (authbypass-update-31297-id.zip), the real damage begins.
Source: Patchstack
What the Malicious Plugin Does
Once installed, the fake plugin:
Creates a hidden admin-level user.
Installs a randomly named cronjob that runs every minute.
Registers the infected site to a malicious command-and-control server.
Fetches a second-stage payload that installs multiple web shells (P.A.S.-Form, p0wny, WSO).
These web shells give attackers full remote control over the compromised website, allowing them to:
Steal payment card data.
Inject ads or malicious redirects.
Enlist your server in DDoS attacks.
Lock down your site with ransomware for extortion.
To make detection harder, the plugin:
Hides itself from the WordPress plugin list.
Conceals the malicious admin account it created.
What to Look For
Patchstack advises website owners to check for signs of infection, including:
Admin accounts with random 8-character names.
Strange or unfamiliar cronjobs.
A folder named authbypass-update in your website files.
Outbound traffic to domains like:
woocommerce-services[.]com
woocommerce-api[.]com
woocommerce-help[.]com
⚡ Keep in mind: Once exposed, attackers usually change their tactics. Don’t rely solely on narrow scans — stay vigilant!
How to Stay Safe
Always verify update requests by visiting the official website directly — never click embedded links in emails.
Use strong security plugins that monitor for unauthorized admin account creation.
Maintain regular backups of your site and test restoration processes.
Educate your team about phishing red flags.
Partner with cybersecurity experts (like GeorgiaMSP!) for regular security audits.
🔔 Stay One Step Ahead Want more updates on threats like this — plus tips on how to spot and stop malicious actors before they do damage? 👉 Follow GeorgiaMSP for more cybersecurity news and small business tech tips.
WooCommerce Phishing Attack: What You Need to Know
Cybercriminals are once again setting their sights on small businesses — this time targeting WooCommerce users with a dangerous new phishing campaign.
Patchstack researchers recently uncovered a large-scale operation where WordPress site admins received fake security alerts, urging them to download a “critical patch” for their WooCommerce platform. But instead of protecting their site, users who downloaded the patch unknowingly installed a backdoor that gave attackers full control.
Here’s a closer look at what’s happening — and what you need to watch out for.
How the Attack Works
The phishing emails appear to come from WooCommerce support (specifically help@security-woocommerce[.]com) and warn that hackers are actively trying to exploit a vulnerability called “unauthenticated administrative access.”
To “protect” their websites, users are directed to download a patch via an embedded button. The emails use urgent language, stating things like:
Clicking the button leads victims to a convincing fake website using a subtle homograph attack — woocommėrce[.]com (notice the special character “ė” instead of a normal “e”).
When users install the provided file (authbypass-update-31297-id.zip), the real damage begins.
What the Malicious Plugin Does
Once installed, the fake plugin:
These web shells give attackers full remote control over the compromised website, allowing them to:
To make detection harder, the plugin:
What to Look For
Patchstack advises website owners to check for signs of infection, including:
⚡ Keep in mind: Once exposed, attackers usually change their tactics. Don’t rely solely on narrow scans — stay vigilant!
How to Stay Safe
🔔 Stay One Step Ahead
Want more updates on threats like this — plus tips on how to spot and stop malicious actors before they do damage?
👉 Follow GeorgiaMSP for more cybersecurity news and small business tech tips.
Related Articles:
Archives