Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
- Sucuri finds malicious code that is embedded in WordPress sites
- The code collects and exfiltrates payment information from ecommerce sites
- Researchers advise WordPress site administrators to inspect all custom code
Cybercriminals are once again being targeted WordPress websites with credit card skimmers, stealing the victim’s sensitive payment information in the process.
This time, the company that sounds the alarm is Sucuri, whose researcher Puja Srivastava recently published a new analysis in the attack, noting that the criminals are targeting WordPress. ecommerce websites, insert malicious JavaScript code into a database table associated with the content management system (CMS).
This script brings the credit card skimmer as the victim is about to enter the payment information.
“U malware specifically on checkout pages, either by hijacking existing payment fields or injecting a fake credit card form,” the researcher said.
The nameless skimmer was built to steal all the payment information needed for internet transactions: credit card numbers, expiration dates, CVV numbers and billing information.
Cybercriminals usually use stolen credit card information to finance malicious advertising campaigns on social media platforms, purchase malware or malware-as-a-service (MaaS), or purchase gift cards as they are difficult of trace
Sucuri added that the skimmer can also capture data entered into legitimate payment screens in real time, thus maximizing compatibility.
All acquired information is encoded in Base64 and combined with AES-CBC encryption, to mix with regular traffic. After that, it is exfiltrated to a server under the control of the attacker (or “valhafather[.]xyz” or “fqbe23[.]xyz”).
To remove malware, Sucuri suggests inspecting all custom HTML widgets. This can be done by logging into the WordPress admin panel, navigating to wp-admin > Appearance > Widgets, and checking all custom HTML block widgets for suspicious or unfamiliar tags. The researchers also suggested mitigation steps, which include regular updates, managing the administrator account, monitoring file integrity, and running a web application firewall.
Skimmers seem to be back in popularity. Less than three weeks ago, the European Space Agency was found to host this type of malicious code, which was stealing payment data, including sensitive credit card information, from countless victims.
Via The Hacker News
