As the holiday shopping season approaches, threat actors are intensifying their efforts to infect website owners, thereby administrators should remain vigilant, Sucuri researchers warned. The attackers are now injecting credit card swipers into random plugins of e-commerce WordPress sites to steal customer payment details.
The researchers identified a new technique where threat actors are injecting card skimmers into WordPress plugin files as it avoids the heavily guarded ‘wp-admin’ and ‘wp-includes’ core directories, where most injections are short-lived.
“The attackers know that most security plugins for WordPress contain some way to monitor the file integrity of core files (that is, the files in wp-admin and wp-includes directories). This makes any malware injected into these files very easy to spot even by less experienced website administrators. The next logical step for them would be to target plugin and theme files.” reads the analysis published by Sucuri.
According to a new Sucuri investigation, threat actors first get into WordPress sites and inject a backdoor into the website for persistence. This means that the attacker can retain access to the site, even if the administrator installs the latest security updates for WordPress and installed plugins.
The backdoor grabs a list of administrators and exploits their authorization cookie and current user login to access the website. Then the attackers add their malicious code to random plugins, Sucuri researchers pointed out that many of the scripts did not contain any typical encoding or obfuscation techniques to avoid detection.
The examination of the code disclosed the presence of references to WooCommerce and multiple unknown variables. The researchers discovered that one of these undefined variables references a domain (array-slice[.]page) hosted on an Alibaba server in Germany, which is strange considering that the infected e-store was operated by a business in North America.
“If you operate an eCommerce website, be sure to be extra cautious during the holiday season. This is when we see attacks and compromises on e-commerce websites at their highest volume as attackers are poised to make handsome profits from stolen credit card details. Make sure to follow best security practices, harden your administrator dashboard and ideally place your website behind a firewall service,” the researchers concluded.
