Attackers have come up with a way to steal confidential data unnoticed.
According to the Sucuri report, unknown hackers use little-known WordPress plugins to inject malicious PHP code on victims ' websites and steal payment data. On May 11, Sucuri specialists discovered a campaign in which attackers used the Dessky Snippets plugin . The plugin, which allows users to add their own PHP code, has more than 200 active installations.
In such attacks, hackers use vulnerabilities in WordPress plugins or easily guessed credentials to gain administrator access. After that, they install additional plugins for further operation. The Dessky Snippets plugin is used to inject server-side malware in PHP that skims bank cards on compromised sites and steals financial data.
Malicious code is saved in the dnsp_settings parameter of the wp_options table and changes the checkout process in WooCommerce. The code manipulates the billing form by adding fields for entering payment card data – name, address, card number, expiration date, and CVV number. The collected data is then transmitted to the URL "hxxps://2of[.]cc/wp-content/".
Characteristics of a malicious campaign
A special feature of the campaign is to disable the autocomplete attribute ( autocomplete="off" ) in the invoice form. This reduces the chance that the browser will warn the user about entering sensitive information. Also, the form fields remain empty until the user fills them in manually, which reduces suspicion.
Recommendations for WordPress site owners
WordPress site owners, especially those who offer ecommerce features, are encouraged to keep their sites and plugins up to date. Use strong passwords to prevent brute-force attacks and regularly check your sites for signs of malware or any unauthorized changes.
Earlier it became known that cybercriminals began exploiting a critical vulnerability in the WP Automatic plugin for WordPress, which allows you to create accounts with administrative privileges and install backdoors for long-term access.
According to the Sucuri report, unknown hackers use little-known WordPress plugins to inject malicious PHP code on victims ' websites and steal payment data. On May 11, Sucuri specialists discovered a campaign in which attackers used the Dessky Snippets plugin . The plugin, which allows users to add their own PHP code, has more than 200 active installations.
In such attacks, hackers use vulnerabilities in WordPress plugins or easily guessed credentials to gain administrator access. After that, they install additional plugins for further operation. The Dessky Snippets plugin is used to inject server-side malware in PHP that skims bank cards on compromised sites and steals financial data.
Malicious code is saved in the dnsp_settings parameter of the wp_options table and changes the checkout process in WooCommerce. The code manipulates the billing form by adding fields for entering payment card data – name, address, card number, expiration date, and CVV number. The collected data is then transmitted to the URL "hxxps://2of[.]cc/wp-content/".
Characteristics of a malicious campaign
A special feature of the campaign is to disable the autocomplete attribute ( autocomplete="off" ) in the invoice form. This reduces the chance that the browser will warn the user about entering sensitive information. Also, the form fields remain empty until the user fills them in manually, which reduces suspicion.
Recommendations for WordPress site owners
WordPress site owners, especially those who offer ecommerce features, are encouraged to keep their sites and plugins up to date. Use strong passwords to prevent brute-force attacks and regularly check your sites for signs of malware or any unauthorized changes.
Earlier it became known that cybercriminals began exploiting a critical vulnerability in the WP Automatic plugin for WordPress, which allows you to create accounts with administrative privileges and install backdoors for long-term access.
