Credit Card Swipers Injected into WordPress Plugins
The New Trend Could Allow Hackers to Access the Websites.
As the holiday season is approaching, more and more people to rush to finish their Christmas shopping without being aware of the fact that cybercriminals don’t take time off for the holidays.
What Is Happening?
Credit card skimmers are being inserted into random plugins on e-commerce WordPress sites, allowing them to remain undetected while collecting client payment information.
Injecting card skimmers into WordPress plugin files is the newest trend, avoiding the heavily watched ‘wp-admin’ and ‘wp-includes’ core folders, where most injections are short-lived.
The attackers know that most security plugins for WordPress contain some way to monitor the file integrity of core files (that is, the files in wp-admin and wp-includes directories). This makes any malware injected into these files very easy to spot even by less experienced website administrators. The next logical step for them would be to target plugin and theme files. This is not the first time we have seen this, but what was quite fascinating about this particular infection was the way that the code was written to appear entirely benign. It wasn’t until we broke apart the code using some more advanced methods that the payload was uncovered.
According to a new Sucuri investigation, credit card thieves first get into WordPress sites and insert a backdoor into the website for persistence.
These backdoors allow hackers to access the site even if the administrator installs the latest WordPress security updates and plugins.
As reported by BleepingComputer, the threat actors then inject their malicious code into random plugins, and many of the scripts are not even disguised, according to Sucuri.
However, when the researchers examined the code, they discovered that an image optimization plugin had references to WooCommerce as well as undefined variables.
How to Stay Safe?
Only certain IP addresses should be allowed to have access to the wp-admin area and any active server-side scanners should be used to check file integrity on the website, ensuring that no code modifications go undiscovered for long.
IT admins should also examine regularly the logs and delve deeply into the specifics as the file modifications, themes, and plugin upgrades.