Hackers Exploit Obscure WordPress Plugin to Steal Payment Data

by ·

According to a report by Sucuri, unknown hackers are exploiting obscure WordPress plugins to inject malicious PHP code into victim sites and steal payment data. On May 11, Sucuri specialists discovered a campaign in which the attackers used the Dessky Snippets plugin. This plugin, which allows users to add custom PHP code, has over 200 active installations.

Credit Card Skimmer

In such attacks, hackers exploit vulnerabilities in WordPress plugins or use easily guessable credentials to gain administrative access. They then install additional plugins for further exploitation. The Dessky Snippets plugin is used to inject server-side malware in PHP, which skims credit card information from compromised sites and steals financial data.

The malicious code is stored in the dnsp_settings parameter of the wp_options table and alters the checkout process in WooCommerce. The code manipulates the billing form, adding fields for payment card information—name, address, card number, expiration date, and CVV number. The collected data is then sent to the URL “hxxps://2of[.]cc/wp-content/”.

Characteristics of the Malicious Campaign

A distinctive feature of this campaign is the disabling of the autocomplete attribute (autocomplete=”off”) in the billing form. This reduces the likelihood of the browser warning the user about entering sensitive information. Additionally, the form fields remain empty until the user fills them in manually, reducing suspicion.

Recommendations for WordPress Site Owners

WordPress site owners, particularly those offering e-commerce functionality, are advised to keep their sites and plugins up to date. Use strong passwords to prevent brute-force attacks and regularly check sites for signs of malware or unauthorized changes.

It was previously reported that cybercriminals began exploiting a critical vulnerability in the WP Automatic plugin for WordPress, which allows the creation of accounts with administrative privileges and the installation of backdoors for long-term access.

Tags: