Emotet now drops Cobalt Strike, fast forwards ransomware attacks
SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs
Grafana fixes zero-day vulnerability after exploits spread over Twitter
Microsoft starts rolling out redesigned Notepad for Windows 11
Amazon is shutting down web ranking site Alexa.com
New Windows 11 Voice Access lets you control the OS with your voice
Windows 11 can now install WSL from the Microsoft Store
Microsoft: Secured-core servers help prevent ransomware attacks
Qualys BrowserCheck
STOPDecrypter
AuroraDecrypter
FilesLockerDecrypter
AdwCleaner
ComboFix
RKill
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
eLearning
IT Certification Courses
Gear + Gadgets
Security
credit_card
Credit card swipers are being injected into random plugins of e-commerce WordPress sites, hiding from detection while stealing customer payment details.
With the Christmas shopping season in full swing, card-stealing threat actors raise their efforts to infect online shops with stealthy skimmers, so administrators ought to remain vigilant.
The latest trend is injecting card skimmers into WordPress plugin files, avoiding the closely-monitored ‘wp-admin’ and ‘wp-includes’ core directories where most injections are short-lived.
According to a new report by Sucuri, hackers performing credit card theft are first hacking into WordPress sites and injecting a backdoor into the website for persistence.
These backdoors allow the hackers to retain access to the site, even if the administrator installs the latest security updates for WordPress and installed plugins.
When the attackers use the backdoor in the future, it will scan for a list of administrator users and use their authorization cookie and current user login to access the site.
The threat actors then add their malicious code to random plugins, and according to Sucuri, many of the scripts are not even obfuscated.
However, when examining the code, the analysts noticed that an image optimization plugin contained references to WooCommerce and included undefined variables. This plugin has no vulnerabilities and is believed to have been selected by the threat actors at random.
By using PHP ‘get_defined_vars()‘, Sucuri was able to find out that one of these undefined variables references a domain hosted on an Alibaba server in Germany.
This domain had no link to the compromised website they were looking into, which is conducting business in North America.
The same site had a second injection on the 404-page plugin, which held the actual credit card skimmer using the same approach of hidden variables in unobfuscated code.
In this case, it’s ‘$thelist' and ‘$message' variables were used to support the credit card skimming malware, with the former referencing the receiving URL and the latter using ‘file_get_contents()' to grab the payment details.
Administrators can follow several protective measures to keep their sites skimmer-free or minimize the infection times as much as possible.
First, the wp-admin area should be restricted to only specific IP addresses. Then, even if a backdoor is injected, the actors could not access the site even if they stole administrator cookies.
Secondly, file integrity monitoring through active server-side scanners should be implemented on the website, ensuring that no code changes will go unnoticed for long.
Finally, make a habit of reading logs and looking deeply into the details. For example, file changes, themes, or plugin updates are always reflected in logs.
XE Group exposed for eight years of hacking, credit card theft
New malware hides as legit nginx process on e-commerce servers
New Linux malware hides in cron jobs with invalid dates
UK govt warns thousands of SMBs their online stores were hacked
Hackers deploy Linux malware, web skimmer on e-commerce servers
Not a member yet? Register Now
Google disrupts massive Glupteba botnet, sues Russian operators
Grafana fixes zero-day vulnerability after exploits spread over Twitter
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.

source

You May Also Like

Malicious Excel XLL add-ins push RedLine password-stealing malware

FBI: Cuba ransomware breached 49 US critical infrastructure orgsResearchers discover 14 new…

VirusTotal Collections feature helps keep neat IoC lists

FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangsEwDoor botnet targets…

Credit card info of 1.8 million people stolen from sports gear sites

TellYouThePass ransomware revived in Linux, Windows Log4j attacksCredit card info of 1.8…

FBI: State hackers exploiting new Zoho zero-day since October

Microsoft warns of easy Windows domain takeover via Active Directory bugsUK govt…