December 22, 2023 at 12:42PM
A rogue WordPress plugin discovered by threat hunters poses a Magecart campaign threat, creating bogus admin users and injecting malicious code to steal credit card data. The plugin hides in the mu-plugins directory and enables sustained access to the target. This revelation comes amid growing concerns about digital skimming and phishing campaigns.
From the meeting notes, the key takeaways are:
– A rogue WordPress plugin capable of creating bogus administrator users and injecting malicious JavaScript code has been discovered, posing a significant threat to e-commerce websites.
– The malicious plugin replicates itself to the mu-plugins directory, concealing its presence and preventing manual removal by unregistering callback functions for hooks.
– The ultimate objective of the campaign is to inject credit card stealing malware into checkout pages and exfiltrate the information to an actor-controlled domain.
– The campaign is leveraging the “RESERVED” status associated with a Common Vulnerabilities and Exposures (CVE) identifier and using the WebSocket communications protocol to insert skimmer code on online storefronts.
– Digital skimming presents a persistent threat, leading to the theft, resale, and misuse of credit card data, with increasingly sophisticated methods making detection more challenging.
– Europol’s spotlight report on online fraud highlighted the detection and identification of 23 families of JS-sniffers, including specific ones targeting companies in 17 different countries across Europe and the Americas.
– Bogus ads on Google Search and Twitter for cryptocurrency platforms are promoting a cryptocurrency drainer called MS Drainer, which has allegedly plundered a significant amount from a large number of victims since March 2023.
These takeaways highlight the pervasive nature of cyber threats targeting e-commerce and online platforms and the need for heightened vigilance and security measures.