March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Severity
High
Analysis Summary
Security experts have discovered a rogue WordPress plugin that can inject malicious JavaScript code and create fake administrator users to steal credit card information. This activity is a part of a Magecart campaign that targets e-commerce websites.
Like most malicious WordPress plugins, it shows some deceptive information in the file to try and look legitimate, like comments claiming that it contains the code of “WordPress Cache Addons”. These types of fake plugins end up on legitimate WordPress sites through either a compromised admin user account or by exploiting vulnerabilities present in another plugin that is already installed on the website.
After the bogus plugin has been installed, it copies itself in the mu-plugins (must-use plugins) directory to become automatically enabled and hides its presence from the admin panel. The only way to remove any of the mu-plugins is by manually deleting the file, so the malware tries to prevent this by unregistering callback functions for hooks that plugins normally use.
Researchers said that the malicious plugin is also capable of creating and hiding an administrator user account from the real website admin so it doesn’t raise any suspicious concerns and continues having persistent access to the target for a long period. The final goal of the campaign is to inject credit card stealing malware into checkout pages of e-commerce websites and send the stolen information to an actor-controlled domain. Most WordPress infections happen due to compromised wp-admin administrator users, so it becomes necessary to work within the constraints of their access levels as installing plugins is one of the main capabilities that WordPress admins have.
The disclosure comes after the WordPress security community issued a warning of a phishing campaign that alerts users of an unrelated vulnerability in the web content management system and tricks them into installing a plugin disguised as a patch. This malicious plugin creates an admin user and executes a web shell to achieve continuous remote access. Researchers noted that the threat actors are leveraging the “RESERVED” status that is associated with a CVE identifier that occurs when it has been reserved for use by a CVE Numbering Authority (CNA) but the details are not filled yet.
Another Magecart campaign was discovered that uses the WebSocket communications protocol to add the skimmer code on online store websites. When a fake “Complete Order” button overlayed on the legitimate checkout button is clicked, the malware gets triggered.
Digital skimming has become a persistent threat that results in re-sale, theft, and misuse of stolen credit card data. One of the major evolutions seen these days is the shift from using front-end malware to back-end malware, which makes it difficult to detect. The E.U. law enforcement agency stated that 443 online merchants were notified of their customers’ credit card information stolen using skimming attacks.
Impact
- Sensitive Information Theft
- Financial Loss
Indicators of Compromise
Domain Name
- fbplx.com
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Always verify the legitimacy of emails, especially those claiming to be from WordPress or any security authority. Check the sender’s email address and avoid unexpected or unsolicited communications.
- Verify the domain of any URLs provided in the email.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Implement advanced email filtering solutions that detect and block phishing emails before they reach users’ inboxes.
- Enhance the security of your WordPress site by implementing two-factor authentication.
- Keep your WordPress core and all installed plugins up to date.
- Conduct regular security audits of your WordPress site.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
- Maintain daily backups of all computer networks and servers.
- Keep all software, operating systems, and applications updated with the latest security patches.
- Continuously monitor network and system logs for unusual or suspicious activities.
- Review and secure website code to prevent open redirect vulnerabilities.
- Educate all site administrators about security best practices and the potential risks associated with phishing emails, fake security advisories, and malicious plugins.