- Sucuri discovers malicious code embedded in WordPress sites
- Code harvests and exfiltrates payment information from e-commerce sites
- Researchers warn WordPress site admins to inspect all custom code
Cybercriminals are once again targeting WordPress websites with credit card skimmers, stealing victims’ sensitive payment information.
This time, the company sounding the alarm is Sucuri, whose researcher Puja Srivastava recently published a new analysis of the attack, noting that criminals are targeting WordPress e-commerce sites, inserting JavaScript code maliciously in a database table associated with the content management system (CMS). .
This script causes the credit card skimmer to appear just as the victim is about to enter payment information.
“The malware activates specifically on payment pages, either by hijacking existing payment fields or by injecting a fake credit card form,” the researcher explained.
The anonymous skimmer was designed to steal all payment information needed for Internet transactions: credit card numbers, expiration dates, CVV numbers, and billing information.
Cybercriminals typically use stolen credit card information to fund malicious advertising campaigns on social media platforms, purchase malware or malware as a service (MaaS), or purchase gift cards, because these are difficult to trace.
Sucuri added that the skimmer can also retrieve data entered on legitimate checkout screens in real time, maximizing compatibility.
All acquired information is Base64 encoded and combined with AES-CBC encryption, to blend in with regular traffic. After that, it is exfiltrated to a server under the control of the attacker (i.e. “valhafather[.]xyz” or “fqbe23[.]xyz”).
To remove the malware, Sucuri suggests inspecting all custom HTML widgets. This can be done by logging into the WordPress admin panel, navigating to wp-admin > Appearance > Widgets and checking all custom HTML block widgets for suspicious or unknown tags. The researchers also suggested mitigation measures, including regular updates, managing administrator accounts, monitoring file integrity, and running a web application firewall.
Skimmers seem to be gaining popularity again. Less than three weeks ago, the European Space Agency was discovered hosting this type of malicious code, which was stealing payment data, including sensitive credit card information, from countless victims.
Via Hacker news
