CyberCX has warned Australian users about a phishing campaign targeting WordPress websites through fake CAPTCHA prompts. Known as DarkEngine, this campaign involves cybercriminals embedding fraudulent CAPTCHA challenges into legitimate WordPress sites, exposing visitors to malware such as information stealers and remote access tools.
The cybersecurity firm reported that at least 2,353 websites worldwide have been potentially targeted, including 82 organizations in Australia and New Zealand. In Australia, the affected sites mainly consist of small and medium businesses across various industries, ranging from strip clubs to children’s education platforms.
DarkEngine employs a layered approach, starting with the creation of convincing replicas of WP Engine, a widely used WordPress site management tool. Using a technique called SEO poisoning, attackers position fake WP Engine links above authentic ones in Google search results, enabling them to steal real WP Engine login credentials from site administrators. Once compromised, these sites are injected with fake CAPTCHA prompts to deceive users.
The campaign’s goal is to expose visitors to social engineering tactics that trick them into running malicious commands, increasing their risk of malware infection.
Katherine Mansted, Executive Director of CyberCX Intelligence, described the threat actors as “highly skilled, well-resourced, and financially motivated criminals” conducting large-scale operations by infecting thousands of legitimate websites.
Fake CAPTCHA prompts closely resemble legitimate tests designed to differentiate humans from bots but instead trick users into executing harmful commands that could give attackers remote access to their devices.
Users are advised not to copy and paste commands from CAPTCHA prompts and to be alert to unexpected downloads after completing CAPTCHA tests. Suspicious URLs, pop-ups, and poorly designed CAPTCHA forms are indicators of fake challenges.
The fraudulent CAPTCHA prompts linked to DarkEngine are variants of “ClickFix,” a social engineering tactic that manipulates users into running malicious instructions. These methods are linked to known financially motivated cybercrime groups.
CyberCX has reached out to affected organizations as part of its efforts to improve digital security.
The firm recommends that WP Engine administrators monitor account activity for unauthorized logins, especially from unfamiliar proxies or VPNs. WordPress site managers should inspect for unusual plugins, injected content in theme files, and suspicious requests containing keywords like “emergency_login,” “check_plugin,” and “urlchange.”
Additionally, CyberCX urges organizations to train employees about ClickFix scams, fake CAPTCHA dangers, and SEO poisoning risks that may lead to malicious sites. The use of reputable password managers that can warn users about illegitimate websites is also encouraged.
Related Topics
- 100,000+ WordPress Sites at Risk from Wishlist Plugin Flaw
- Stellarsites Will Change The Way You Build Wordpress Websites
- Why Is Rank Math So Popular on WordPress Sites?
