Unknown threat actors are exploiting lesser-known WordPress code snippet plugins to insert malicious PHP code on victim sites, harvesting credit card data. Sucuri observed this campaign on May 11, 2024, involving the abuse of a plugin called Dessky Snippets, which allows users to add custom PHP code. This plugin has over 200 active installations.
These attacks typically leverage previously disclosed flaws in WordPress plugins or easily guessable credentials to gain administrator access and install other plugins, either legitimate or malicious, for post-exploitation purposes.
Sucuri reported that the Dessky Snippets plugin is used to insert server-side PHP credit card skimming malware on compromised sites, stealing financial data. Security researcher Ben Martin explained that the malicious code is stored in the `dnsp_settings` option in the WordPress `wp_options` table. It modifies the WooCommerce checkout process by manipulating the billing form and injecting its own code.
Specifically, this malicious code adds several new fields to the billing form, requesting credit card details, including names, addresses, credit card numbers, expiry dates, and CVV numbers. This information is then exfiltrated to the URL “hxxps://2of[.]cc/wp-content/.”
A notable aspect of this campaign is the billing form’s autocomplete attribute being disabled (i.e., `autocomplete=”off”`). Martin noted that disabling this feature on the fake checkout form reduces the likelihood that the browser will warn the user about entering sensitive information, ensuring that the fields remain blank until manually filled out by the user, thus reducing suspicion and making the fields appear as regular, necessary inputs for the transaction.
This isn’t the first time threat actors have used legitimate code snippet plugins for malicious purposes. Last month, Sucuri revealed the abuse of the WPCode code snippet plugin to inject malicious JavaScript code into WordPress sites, redirecting site visitors to VexTrio domains.
Another malware campaign, dubbed Sign1, has infected over 39,000 WordPress sites in the last six months by using malicious JavaScript injections via the Simple Custom CSS and JS plugin to redirect users to scam sites.
WordPress site owners, particularly those offering e-commerce functions, are advised to keep their sites and plugins up-to-date, use strong passwords to prevent brute-force attacks, and regularly audit their sites for signs of malware or unauthorized changes.
This vulnerability poses significant risks to businesses using WordPress for their websites, especially those involved in e-commerce. The immediate impact is the potential loss of sensitive customer data, including credit card information, which can lead to severe financial losses and legal repercussions. When customers’ financial information is stolen, businesses may face chargebacks, increased transaction fees, and penalties from credit card companies, which can severely strain their financial resources.
Beyond the direct financial impact, businesses may suffer considerable damage to their reputation. Customers entrust businesses with their personal and financial information, and a breach can shatter this trust. News of such a vulnerability and subsequent data breach can spread quickly, leading to a loss of current customers and deterring potential new customers. Rebuilding a tarnished reputation requires substantial effort and resources, often involving extensive public relations campaigns and enhanced security measures to reassure customers of the website’s safety.
Operational disruptions are another significant consequence. Identifying, mitigating, and recovering from a malware attack can require shutting down the website temporarily, leading to loss of sales and productivity. During this period, businesses might have to invest in cybersecurity experts to cleanse their systems and ensure no residual threats remain, further escalating costs. Additionally, businesses might need to implement more stringent security measures, such as multi-factor authentication and regular security audits, to prevent future attacks, which can be resource-intensive.
Legal implications are also a concern. Depending on the jurisdiction and the nature of the data breach, businesses may be required to notify affected customers and regulatory bodies, potentially leading to fines and sanctions. For example, under the General Data Protection Regulation (GDPR) in the European Union, companies can face hefty fines for failing to protect customer data adequately. In the United States, various state laws impose similar requirements, and non-compliance can result in substantial penalties.
Moreover, this vulnerability underscores the necessity for businesses to stay vigilant about cybersecurity. Many small to medium-sized enterprises (SMEs) might not have dedicated IT security teams, making them more vulnerable to such attacks. Investing in cybersecurity training for employees, implementing robust security protocols, and conducting regular security assessments become imperative. Businesses should also consider cyber insurance to mitigate potential financial losses from such incidents.
In summary, the exploitation of WordPress vulnerabilities to insert malicious PHP code can have devastating effects on businesses, such as a Marietta medical malpractice lawyer, affecting their financial stability, reputation, operations, and legal standing. It highlights the critical importance of maintaining robust cybersecurity practices and staying informed about potential threats to protect both the business and its customers.