Sucuri researchers have issued an alert about threat actors injecting credit card swipers into random plugins on e-commerce WordPress sites. During the holiday season, online scammers and threat actors ramp up their operations.
Sucuri researchers have discovered a concerning trend: threat actors are injecting e-skimmers into WordPress plugin files rather than the more closely monitored 'wp-admin' and 'wp-includes' core directories.
Researchers notice some changes to plugin and theme files while analyzing the logs of a compromised e-store.
"Attackers are aware that most WordPress security plugins include a mechanism for monitoring the file integrity of core files" (that is, the files in wp-admin and wp-includes directories). Because of this, any malware injected into these files is very easy to detect, even by inexperienced website administrators. The following logical step would be for them to target plugin and theme files." Sucuri's analysis reads as follows.
To gain persistence, attackers were able to inject a backdoor into the site files, according to security researchers. This means that even if the administrator installs the most recent security updates for WordPress and installed plugins, the attacker can still gain access to the e-store.
To gain access to the website, the backdoor obtains a list of administrators and exploits their authorization cookie and current user login.
The attackers then inject their malicious code into random plugins. Sucuri researchers noted that many of the scripts did not use standard encoding or obfuscation techniques to avoid detection.
The code analysis revealed the presence of references to WooCommerce as well as numerous undefined variables. The researchers discovered that one of these undefined variables refers to a domain hosted on an Alibaba server in Germany, which is odd given that the infected e-store was operated by a North American company.
Another file on the same site revealed the presence of a second injection on the 404-page plugin, which contained the actual credit card skimmer by employing the same approach of hidden variables in unobfuscated code. Using the same method as in the previous file, experts discovered that the e-skimming activity was carried out using two variables, '$thelist' and '$message.'
"If you run an eCommerce website, be especially cautious during the holiday season." This is when we see the most attacks and compromises on eCommerce websites, as attackers are looking to profit handsomely from stolen credit card information," the report concludes. "Use the best security practices, harden your administrator dashboard, and ideally place your website behind a firewall service!".
The experienced Cyber Security Consulting team at Airzero Sec has years of experience working on projects for some of the world's most prestigious companies. Use that knowledge whenever you need it, whether it's to assist you in arriving or to carry out technical controls. If you have any queries about the topic, please contact us. Please do not hesitate to contact us at the given email address.
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/