Unknown menace actors are abusing lesser-known code snippet plugins for WordPress to insert malicious PHP code in sufferer websites which are able to harvesting bank card information.
The marketing campaign, noticed by Sucuri on Could 11, 2024, entails the abuse of a WordPress plugin known as Dessky Snippets, which permits customers so as to add customized PHP code. It has over 200 lively installations.
Such assaults are recognized to leverage recognized flaws in WordPress plugins or simply guessable credentials to realize administrator entry and set up different plugins (reputable or in any other case) for post-exploitation.
Sucuri stated the Dessky Snippets plugin is used to insert a server-side PHP bank card skimming malware on compromised websites and steal monetary information.
“This malicious code was saved in the dnsp_settings option in the WordPress wp_options table and was designed to modify the checkout process in WooCommerce by manipulating the billing form and injecting its own code,” safety researcher Ben Martin stated.
Particularly, it is designed so as to add a number of new fields to the billing kind that request bank card particulars, together with names, addresses, bank card numbers, expiry dates, and Card Verification Worth (CVV) numbers, that are then exfiltrated to the URL “hxxps://2of[.]cc/wp-content/.”
A noteworthy side of the marketing campaign is that the billing kind related to the bogus overlay has its autocomplete attribute disabled (i.e., autocomplete=”off”).
“By manually disabling this feature on the fake checkout form it reduces the likelihood that the browser will warn the user that sensitive information is being entered, and ensures that the fields stay blank until manually filled out by the user, reducing suspicion and making the fields appear as regular, necessary inputs for the transaction,” Martin stated.
This isn’t the primary time menace actors have resorted to utilizing reputable code snippet plugins for malicious functions. Final month, the corporate revealed the abuse of WPCode code snippet plugin to inject malicious JavaScript code into WordPress websites so as to redirect website guests to VexTrio domains.
One other malware marketing campaign dubbed Sign1 has been discovered to have contaminated over 39,000 WordPress websites within the final six months through the use of malicious JavaScript injections through the Easy Customized CSS and JS plugin to redirect customers to rip-off websites.
WordPress website homeowners, notably these providing e-commerce features, are beneficial to maintain their websites and plugins up-to-date, use sturdy passwords to forestall brute-force assaults, and repeatedly audit the websites for indicators of malware or any unauthorized modifications.
