Hackers Infiltrate Random WordPress Plugins to Steal Credit Card Information

Hackers Infiltrate Random WordPress Plugins to Steal Credit Card Information

Credit card swipers are being introduced into e-commerce WordPress plugins at random, allowing them to remain undetected while collecting client payment information. Card-stealing threat actors are ramping up their attempts to infect online retailers with covert skimmers as the holiday shopping season approaches, so administrators should be watchful. Injecting card skimmers into WordPress plugin files is the newest trend, as it avoids the heavily watched ‘wp-admin’ and ‘wp-includes’ core folders, where most injections are short-lived.

According to recent research from Sucuri, credit card fraud is carried out by first getting into WordPress sites and introducing a backdoor for persistence. Even if the administrator installs the newest security updates for WordPress and installed plugins, the hackers can still access the site using these backdoors. When the backdoor is used in the future, the attackers will look for a list of administrator users and access the site using their permission cookie and current user login.

The threat actors then inject their malicious code into random plugins, and many of the scripts aren’t even obfuscated, according to Sucuri. When the analysts examined the code, they discovered references to WooCommerce and undefined parameters in an image optimization plugin. This plugin is free of vulnerabilities and is thought to have been chosen at random by threat actors.

Sucuri determined that one of these undefined variables refers to a domain located on an Alibaba server in Germany using PHP’ get_defined_vars()’. This domain had no connection to the hacked website they were investigating, which was based in North America. The 404-page plugin on the same site featured a second injection, which contained the actual credit card skimmer employing the same method of hidden variables in unobfuscated code.

The credit card skimmer malware was supported by the variables’ $thelist’ and ‘$message,’ with the former referring to the receiving URL and the latter leveraging ‘file get contents()’ to take the payment data.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: