Crooks injects e-skimmers in random WordPress plugins of e-stores

Threat actors are injecting credit card swipers into random plugins of e-commerce WordPress sites, Sucuri researchers warn.

Sucuri researchers are warning of threat actors injecting credit card swipers into random plugins of e-commerce WordPress sites. The holidays season is the period when online scammers and threat actors intensify their operations.

Sucuri researchers have spotted a dangerous trend, threat actors are injecting the e-skimmers into WordPress plugin files, instead of ‘wp-admin’ and ‘wp-includes’ core directories which are more monitored.

While analyzing the logs of a compromised e-store, researchers notices some changes to plugin and theme files.

“The attackers know that most security plugins for WordPress contain some way to monitor the file integrity of core files (that is, the files in wp-admin and wp-includes directories). This makes any malware injected into these files very easy to spot even by less experienced website administrators. The next logical step for them would be to target plugin and theme files.” reads the analysis published by Sucuri.

Sucuri researchers discovered that attackers were able to inject a backdoor into the site files to gain persistence. This means that the attacker can retain access to the e-store, even if the administrator installs the latest security updates for WordPress and installed plugins.

The backdoor grabs a list of administrators and abuses their authorization cookie and current user login to access the website.

Then the attackers add their malicious code to random plugins, Sucuri researchers pointed out that many of the scripts did not contain any typical encoding or obfuscation techniques to avoid detection.

The analysis of the code revealed the presence of references to WooCommerce and multiple undefined variables. The researchers discovered that one of these undefined variables references a domain (array-slice[.]page) hosted on an Alibaba server in Germany, which is strange considering that the infected e-store was operated by a business in North America.

Another file on the same site revealed the presence of a second injection on the 404-page plugin (./wp-content/plugins/404page/inc/class-404page.php), which held the actual credit card skimmer using the same approach of hidden variables in unobfuscated code.

Using the same approach of the previous file, experts discovered that two variables, ‘$thelist’ and ‘$message’ were used to implement the e-skimming activity.

“If you operate an eCommerce website, be sure to be extra cautious during the holiday season. This is when we see attacks and compromises on ecommerce websites at their highest volume as attackers are poised to make handsome profits from stolen credit card details.” concludes the report. “Make sure to follow best security practices, harden your administrator dashboard and ideally place your website behind a firewall service!”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, e-skimmer)

[adrotate banner=”5″]

[adrotate banner=”13″]