- Sucuri finds malicious code being embedded in WordPress sites
- The code harvests and exfiltrates payment information from ecommerce websites
- The researchers are warning WordPress site admins to inspect all custom code
Cybercriminals are once again targeting WordPress websites with credit card skimmers, stealing victim’s sensitive payment information in the process.
This time around, the company sounding the alarm is Sucuri, whose researcher Puja Srivastava recently published a new analysis into the attack, noting criminals are targeting WordPress ecommerce websites, inserting malicious JavaScript code into a database table associated with the content management system (CMS).
This script brings up the credit card skimmer just as the victim is about to enter the payment information.
“The malware activates specifically on checkout pages, either by hijacking existing payment fields or injecting a fake credit card form,” the researcher said.
The unnamed skimmer was built to steal all of the payment information necessary for internet transactions: credit card numbers, expiration dates, CVV numbers, and billing information.
Cybercriminals usually use stolen credit card information to fund malicious ad campaigns on social media platforms, purchase malware or malware-as-a-service (MaaS), or buy gift cards since these are difficult to trace.
Sucuri added the skimmer can also grab data entered on legitimate payment screens in real-time, thus maximizing compatibility.
All of the acquired information is encoded in Base64 and combined with AES-CBC encryption, to blend in with the regular traffic. After that, it is exfiltrated to a server under the attacker’s control (either “valhafather[.]xyz” or “fqbe23[.]xyz”).
To remove the malware, Sucuri suggests inspecting all custom HTML widgets. That can be done by logging into the WordPress admin panel, navigating to wp-admin > Appearance > Widgets, and checking all Custom HTML block widgets for suspicious or unfamiliar tags. The researchers also suggested mitigation steps, which include regular updates, admin account management, file integrity monitoring, and running a web application firewall.
Skimmers seem to be rising in popularity again. Less than three weeks ago, the European Space Agency was found hosting this type of malicious code, which was stealing payment data, including sensitive credit card information, from countless victims.
Via The Hacker News
