Recent cybersecurity investigations have unveiled a sophisticated approach employed by threat actors, who are utilizing swap files on compromised websites to facilitate the operation of a persistent credit card skimmer designed to capture sensitive payment information.
Security firm Sucuri identified this method on the checkout page of a Magento e-commerce site, where the malware demonstrated resilience against multiple remediation efforts. This tactic allows the skimmer to remain undetected, even as site administrators attempt to remove it.
The skimmer is engineered to collect data input in the website’s credit card form and transmit that information to an attacker-controlled domain identified as “amazon-analytic[.]com,” which was registered in February 2024. According to security researcher Matt Morrow, this strategy of co-opting established brand names in domain registration is a common evasion tactic used by malicious actors.
The deployment of swap files, specifically a file named “bootstrap.php-swapme,” enables the malware to load while preserving the original file, “bootstrap.php,” free from infection. Morrow elaborates that when files are edited directly through SSH, servers generate temporary swap files to protect against data loss in case the editing session fails. This creates a unique opportunity for attackers to retain their malware on the server, circumventing standard detection methods.
While the specifics of the initial compromise remain unclear, it is suspected that unauthorized access may have occurred through SSH or other terminal interfaces. This incident is part of a broader trend where compromised administrative user accounts on WordPress sites are exploited to deploy malicious plugins masquerading as legitimate software, such as the Wordfence security plugin.
As outlined by security researcher Ben Martin, the infiltrating plugin not only impersonates a trusted tool but also creates rogue admin accounts and disables real security measures like Wordfence, creating the illusion that the site is secure while it remains vulnerable. The genesis of the plugin indicates that the website was already compromised when the malicious software was introduced, reinforcing the malware’s capacity to serve as a vector for reinfection.
The malicious code specifically targets WordPress admin pages that include the term ‘Wordfence’ in their URLs, suggesting an advanced level of specificity in its design that aims to evade detection by focusing on high-value targets.
To mitigate risks associated with these types of attacks, cybersecurity experts recommend that site owners restrict access to common protocols such as FTP, sFTP, and SSH to trusted IPs only. Keeping content management systems and plugins updated is crucial, alongside enabling two-factor authentication (2FA) and implementing firewall measures to help block potential bot traffic. Furthermore, site owners should consider applying additional security measures in their wp-config.php file, such as DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS, to enhance their defenses against unauthorized changes.
