SecurityWeek reports that nearly 25,000 WordPress websites have been installed with more than 47,000 malicious plugins between July 2012 and July 2020, over 94% of which are still being used.
Installed malicious plugins have increased steadily during the eight-year study period, with installations peaking in March 2020, a study by Georgia Institute of Technology researchers found. CodeCanyon, ThemeForest, Easy Digital Downloads, and other legitimate marketplaces were the sources of more than 3,600 malicious plugins, most of which lacked obfuscation for malicious behavior.
Widely used free plugins' codebase are being purchased by threat actors, who then add the malicious code and await for automatic update application. Threat actors have also been spoofing plugin authors to distribute malware-laden plugins, according to the study.
"While the website owners trusted the plugin ecosystem and spent a total of $7.3M on only the plugins in our dataset, we found that this trust is often broken for the attackers monetary gains," said researchers.
Threat actors have been spreading the information-stealing malware-as-a-service Erbium as phony video game cracks and cheats in an effort to facilitate credential and cryptocurrency wallet theft, according to BleepingComputer.