Threat trackers have discovered a rogue WordPress plugin that creates fake administrator users and injects malicious JavaScript code to steal credit card information.
Sucuri said the theft was part of a Magecart campaign targeting e-commerce sites.
“Like many other malicious or fake WordPress plugins, it includes some deceptive information at the top of the file to give it legitimacy,” said security researcher Ben Martin. “In this case, the review claims the code is ‘WordPress Cache Addons’.”
Malicious plug-ins typically gain entry into WordPress sites through an infected admin user or by exploiting a security vulnerability in another plug-in that is already installed on the site.
Once installed, the plugin copies itself to the mu-plugins (or must-use plugins) directory so that it is automatically enabled and hides its presence in the admin panel.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
“Since the only way to remove any mu-plugin is to manually delete the file, the malware goes to great lengths to prevent this from happening,” Martin explained. “The malware accomplishes this by unregistering callback functions for hooks commonly used by such plugins.”
This scam plugin also provides an option to create an administrator user account and hide the administrator user account from legitimate website administrators to avoid raising red flags and allow continued access to the target for an extended period of time.
The ultimate goal of this campaign is to inject credit card-stealing malware into the checkout page and leak the information to an attacker-controlled domain.
“Since many WordPress infections are caused by infected wp-admin admin users, they need to work within the constraints of their access level, and installing plugins is undoubtedly one of the key capabilities a WordPress admin has,” Martin explain.
A few weeks ago, the WordPress security community warned about a phishing campaign that alerted users to unrelated security vulnerabilities in the web content management system and tricked them into installing a plug-in in the form of a patch. The plug-in itself creates an admin user and deploys a web shell for persistent remote access.
Sucuri said the threat actors behind the campaign are taking advantage of the “reserved” status associated with a CVE identifier, which occurs when it is reserved for use by a CVE Numbering Authority (CNA) or security researchers, but details have yet to be determined. filling.
At the same time, the website security company also discovered another Magecart campaign that used the WebSocket protocol to insert skimmer code in online stores. The malware is then triggered when the fake “Complete Order” button overlaid on the legitimate checkout button is clicked.
Europol’s key report on online fraud, released this week, describes digital theft as an ongoing threat, leading to the theft, resale and misuse of credit card data. “A major evolution in digital theft is the shift from the use of front-end malware to the use of back-end malware, which makes detection more difficult,” the report said.
The EU law enforcement agency said it had also notified 443 online merchants that their customers’ credit or payment card details had been compromised as a result of the skimming attack.
Group-IB also cooperated with Europol in a transnational cybercrime combat operation codenamed Digital Skimming Action. The organization stated that it discovered and identified 23 JS sniffer families, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter and R3nin, these files were used to target companies in 17 different countries in Europe and America.
The Singapore-based company added: “As of the end of 2023, a total of 132 JS sniffer families were known to have compromised websites globally.”
That’s not all. Cryptocurrency platforms were found to be falsely advertising a cryptocurrency drain tool called MS Drainer on Google searches and Twitter, which is estimated to have been removed from the network via 10,072 phishing sites since March 2023. $58.98 million was looted from 63,210 victims.
“By targeting a specific audience using Google search terms and the following
