Beware of WordPress malware: Unintentional installation via fake captcha

Fake captcha wants to steal admin rights

This article is only intended to be a brief warning and instructions for the solution, as today I once again found a new type of malware on a customer's domain. The customer wanted to take care of WordPress, plugin and theme updates himself and for that reason I did not have the website under constant surveillance. Today his webmaster called me that he was having problems with the WordPress site. I would see what's going on when I go to that page.

Said and done. In the first few seconds after the call, everything looked ok, but shortly afterwards a URL was redirected and I landed on a new domain that presented me with this picture:

With this screen, the malware wants to induce the user to give her admin rights on the Windows PC.

With this screen, the malware wants to induce the user to give her admin rights on the Windows PC.

I visited the site with the Mac and there was no dialog asking me to agree to anything, but I am firmly convinced that a popup appears on Windows machines asking the user for admin rights. Of course, not to confirm that the user is not a robot, as the fake captcha is supposed to pretend, but to install malicious software on the PC.

But this didn't work for me on the Mac. Another good reason to use a Mac. Most malware is still being developed for Windows computers. ;-)

Malware infection detected, but what should I do?

Now I've seen that the site is infected with something, but how do you go about fixing it up? My recommendation at this point is the plugin "Anti-Malware Security and Brute Force Firewall"by Eli Scheetz. I made a donation there and since then I've been using the plugin whenever something" strange "occurs to me on a WordPress installation.

The plugin scans the entire WordPress installation including WordPress core, themes and plugins as well as other directories and informs in real time about detected malware and potential problems. A button can then be used to move the "infected" files directly to quarantine or to try to repair them.

The anti-malware plug-in combs the entire WordPress folder including all subfolders and shows which malware has been found and which files look potentially suspicious.

The anti-malware plug-in combs the entire WordPress folder including all subfolders and shows which malware has been found and which files look potentially suspicious.

I usually make short work of it and throw all WordPress core files in the trash and also delete infected plugins. Then I install everything freshly and then run the software again.

It is important that you update everything, because mostly old versions of plugins or themes are the gateway for hackers. WordPress itself is usually quite resistant to hacker attacks without plugins, as the developers secure it very well and quickly provide it with security updates.

Don't worry, the plugin also speaks German and English, but only French for my customer, as he has chosen this as the language in WordPress.

Don't worry, the plugin also speaks German and English, but only French for my customer, as he has chosen this as the language in WordPress.

WordPress update service and backups as "insurance" (advertising!)

A friend of mine offers a WordPress update service that I also use for all of my customers. He takes care of updates for WordPress, themes or plugins on a weekly basis and he makes daily backups in the cloud. To do this, he installs the security plug-in SecuPressthat detects and prevents frequent attempted attacks. The license for this plugin alone costs 5 euros a month and is included in its service.

If you have a WordPress blog that should not be affected by failures (for example because you earn money with it), you should perhaps book such a service. My friend bills around 20 to 25 euros per month for this, which is very cheap in relation to the working hours that he puts into it. I know that there are also services that offer this for 5 euros a month, but that only applies to WordPress updates that can be carried out automatically at the push of a button. These providers usually do not take care of updates of premium themes and premium plugins. And they usually don't even look at the website to see if the update has broken anything.

Unfortunately I cannot give you a website of my friend because he does not offer the service publicly. If you are interested, please write me an email with the domain that is to be looked after and I will then forward it.

I hope you will forgive me for the ad, but I use the service of my friend for Sir Apfelot and my customers and I am thrilled with it.

/ End of advertising! ;-)

If you yourself have problems with a hacked WordPress or infected files, please let me know. I am happy to help with comments and, in individual cases, with active support via FTP. My wealth of experience with hacked and broken WordPress sites has become quite extensive in recent years and of course I am happy to share it with you.

Fake virus scanner tries to install malware on my Mac.

Fake virus scanner tries to install malware on my Mac.

Update 23.05.2019/XNUMX/XNUMX: Adapted malware screen to macOS

It's almost as if the hackers are reading along. As soon as I look at the malware URL this morning, a website appears that is modeled after the Apple Store and points to infections in my macOS that I should fix. Funnily enough, the scan supposedly has one Trojans found. Exactly what will probably install if I just click OK enough times and enter my admin password. I didn't do it once...

The trigger was the wp-live-chat-support plugin

I have now cleaned up the customer domain and also identified the trigger for the malicious forwarding. This is a chat plug-in called "wp-live-chat-support". This seems to bring the malware with it "by default" because it has been blocked for new installations on the official WordPress plugin page:

The WordPress plugin wp-live-chat-support was either taken over or provided by the developers themselves with forwarding to various websites. You should definitely deactivate it and delete it from the server.

The WordPress plugin wp-live-chat-support was either taken over or provided by the developers themselves with forwarding to various websites. You should definitely deactivate it and delete it from the server.

-

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.

Leave a Comment

Your e-mail address will not be published.