Emotet now drops Cobalt Strike, fast forwards ransomware attacks
SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs
Grafana fixes zero-day vulnerability after exploits spread over Twitter
Microsoft starts rolling out redesigned Notepad for Windows 11
Amazon is shutting down web ranking site Alexa.com
New Windows 11 Voice Access lets you control the OS with your voice
Windows 11 can now install WSL from the Microsoft Store
Microsoft: Secured-core servers help prevent ransomware attacks
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Credit card swipers are being injected into random plugins of e-commerce WordPress sites, hiding from detection while stealing customer payment details.
With the Christmas shopping season in full swing, card-stealing threat actors raise their efforts to infect online shops with stealthy skimmers, so administrators ought to remain vigilant.
The latest trend is injecting card skimmers into WordPress plugin files, avoiding the closely-monitored ‘wp-admin’ and ‘wp-includes’ core directories where most injections are short-lived.
According to a new report by Sucuri, hackers performing credit card theft are first hacking into WordPress sites and injecting a backdoor into the website for persistence.
These backdoors allow the hackers to retain access to the site, even if the administrator installs the latest security updates for WordPress and installed plugins.
When the attackers use the backdoor in the future, it will scan for a list of administrator users and use their authorization cookie and current user login to access the site.
The threat actors then add their malicious code to random plugins, and according to Sucuri, many of the scripts are not even obfuscated.
However, when examining the code, the analysts noticed that an image optimization plugin contained references to WooCommerce and included undefined variables. This plugin has no vulnerabilities and is believed to have been selected by the threat actors at random.
By using PHP ‘get_defined_vars()‘, Sucuri was able to find out that one of these undefined variables references a domain hosted on an Alibaba server in Germany.
This domain had no link to the compromised website they were looking into, which is conducting business in North America.
The same site had a second injection on the 404-page plugin, which held the actual credit card skimmer using the same approach of hidden variables in unobfuscated code.
In this case, it’s ‘$thelist' and ‘$message' variables were used to support the credit card skimming malware, with the former referencing the receiving URL and the latter using ‘file_get_contents()' to grab the payment details.
Administrators can follow several protective measures to keep their sites skimmer-free or minimize the infection times as much as possible.
First, the wp-admin area should be restricted to only specific IP addresses. Then, even if a backdoor is injected, the actors could not access the site even if they stole administrator cookies.
Secondly, file integrity monitoring through active server-side scanners should be implemented on the website, ensuring that no code changes will go unnoticed for long.
Finally, make a habit of reading logs and looking deeply into the details. For example, file changes, themes, or plugin updates are always reflected in logs.
XE Group exposed for eight years of hacking, credit card theft
New malware hides as legit nginx process on e-commerce servers
New Linux malware hides in cron jobs with invalid dates
UK govt warns thousands of SMBs their online stores were hacked
Hackers deploy Linux malware, web skimmer on e-commerce servers
Not a member yet? Register Now
Google disrupts massive Glupteba botnet, sues Russian operators
Grafana fixes zero-day vulnerability after exploits spread over Twitter
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Lockean multi-ransomware affiliates linked to attacks on French orgs

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…

Kronos ransomware attack may cause weeks of HR solutions downtime

Attackers can get root by crashing Ubuntu’s AccountsServiceAttackers can get root by…

Microsoft reverses Windows 11's annoying default browser setting changes

FBI: Cuba ransomware breached 49 US critical infrastructure orgsResearchers discover 14 new…

Threat actors steal $80 million per month with fake giveaways, surveys

Scammers are estimated to have made $80 million per month by impersonating…