- Sucuri finds malicious code embedded in WordPress websites
- The code harvests and exfiltrates payment information from e-commerce sites
- The researchers warn WordPress site administrators to inspect all custom code
Cybercriminals are once again targeting WordPress sites with credit card skimmers, stealing the victim’s sensitive payment information in the process.
This time, the company sounding the alarm is Sucuri, whose researcher Puja Srivastava recently published a new analysis of the attack, noting that criminals are targeting WordPress e-commerce sites and inserting malicious JavaScript code into a database table connected to the content management system ( CMS).
This script brings up the credit card skimmer just as the victim is about to enter the payment details.
“The malware specifically activates on payment sites, either by hijacking existing payment fields or by injecting a fake credit card form,” the researcher said.
The unnamed skimmer was built to steal all the payment information necessary for internet transactions: credit card numbers, expiration dates, CVV numbers and billing information.
Cybercriminals usually use stolen credit card information to fund malicious ad campaigns on social media platforms, purchase malware or malware-as-a-service (MaaS), or purchase gift cards, as these are difficult to trace.
Sucuri added that the skimmer can also capture data entered on legitimate payment screens in real time, maximizing compatibility.
All the information obtained is encoded in Base64 and combined with AES-CBC encryption to blend with the regular traffic. It is then exfiltrated to a server under the attacker’s control (either “valhafather[.]xyz” or “fqbe23[.]xyz”).
To remove the malware, Sucuri suggests inspecting all custom HTML widgets. This can be done by logging into the WordPress admin panel, navigating to wp-admin > Appearance > Widgets and checking all Custom HTML block widgets for suspicious or unknown tags. The researchers also suggested mitigation steps, which include regular updates, managing administrator accounts, monitoring file integrity, and running a web application firewall.
Skimmers seem to be increasing in popularity again. Less than three weeks ago, the European Space Agency was found to host this type of malicious code, which stole payment data, including sensitive credit card information, from countless victims.
Via Hacker News
