WordPress Plugin

Security researchers have discovered a malicious WordPress plugin that creates fake administrator accounts and injects malicious JavaScript code to steal credit card information. According tocyber securityThe company, Sucuri, said the skimming was part of the Magecart attack that targeted e-commerce sites.

"Like many other malicious or fake WordPress plugins, it includes some deceptive information at the top of the file to make it look legitimate," said security researcher Ben Martin. "In this case, the annotation claims the code is 'WordPress Cache Addons'."

Malicious plugins usually enter WordPress sites in two ways:

Utilizing an attacked administrator account
Exploit security holes in other plugins already installed on the site
After installation, the plugin copies itself to the mu-plugins (must-use plugins) directory in order to automatically enable and hide its presence in the admin panel.

"Since the only way to remove mu-plugins is to manually delete the files, the malware will find ways to prevent this operation," Martin explains. "The malware accomplishes this by commenting out the callback functions of the hooks (hooks) typically used by such plugins."

The fraudulent plugin also creates and hides an administrator user account to avoid attracting the attention of the site administrator and continues to access the target site for an extended period of time.

The attacker's ultimate goal is to inject malware that steals credit card information into the checkout page and steal the information to a domain under the attacker's control.

Disclosure of events

The disclosure comes just weeks after the WordPress security community warned users about a phishing campaign. The phishing campaign alerts users about an unrelated security vulnerability in the WordPress content management system and tricks them into installing a plugin that creates an administrator user and deploys a web shell for persistent remote access.

Sucuri said the attackers behind the campaign are exploiting the "RESERVED" status of the CVE identifier, which appears when the identifier is used by a CVE numbering authority (CNA) or security researcher, but the details have not yet been filled in.

Other Magecart attacks

The incident also occurred as the web security firm discovered another Magecart attack campaign. The campaign used the WebSocket communication protocol to insert skimmer code into an online store. The malware was triggered when a fake "Complete Order" button was clicked above a legitimate checkout button.

A thematic report on cyber fraud released this week by Europol describes digital skimming as a persistent threat that leads to the theft, resale and misuse of credit card data. According to the report, "A major evolution in digital skimming has been the shift from the use of front-end malware to the use of back-end malware, making it more difficult to detect."

EU law enforcement agencies also notified 443 online merchants that their customers' credit or payment card data had been compromised by the skimming attack.

Group-IB has also partnered with Europol on a cross-border cybercrime initiative called Operation Digital Scalp. The company said it detected and identified 23 JS-sniffer families, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter and R3nin, which were used to target companies in 17 different countries in Europe and the Americas.

The company added: "As of the end of 2023, 132 JS-sniffer families are known to be used globally to attack websites."

Other security risks

Additionally, fake ads targeting cryptocurrency platforms found in Google searches and on Twitter were found to be promoting a cryptocurrency stealer called MS Drainer. The stealer is estimated to have stolen $58.98 million from 63,210 victims since March 2023 through 10,072 phishing sites.

"By using Google search terms and the following X's search base, they can select specific targets and launch ongoing phishing campaigns at a very low cost," ScamSniffer said.

Some suggestions

To protect your WordPress site from malicious plugins, you can take the following steps:

Download plugins only from trusted sources.
Regularly update WordPress and all plugins.
Use security plug-ins to detect and block malware.
Backup your site for recovery in the event of an attack.
If you suspect that your WordPress site has been infected with a malicious plugin, you can check it with the following tools:

Sucuri SiteCheck
Wordfence Scanner
Invicti Security Scanner
These tools can help you detect and remove malicious plugins.