July 23, 2024 at 06:28AM
Threat actors use sneaky techniques like swap files to conceal credit card skimmer malware in compromised websites. The skimmer captures payment information and exfiltrates it to an attacker-controlled domain. These actors also use defense evasion methods like malicious plugins and compromised administrator accounts. Site owners are advised on security measures to prevent such attacks.
Based on the meeting notes, the primary takeaways are as follows:
– A new threat detection method has been observed, involving the use of swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information. This technique has been seen on a Magento e-commerce site’s checkout page and is designed to capture and exfiltrate credit card details to an attacker-controlled domain named “amazon-analytic[.]com.”
– Security researcher Matt Morrow highlighted the tactic of leveraging popular brand names in domain names as a common strategy used by threat actors to evade detection.
– The threat actor has also employed other defense evasion methods, including the use of swap files to load malicious code while keeping the original file intact and free of malware, effectively evading normal detection methods.
– Compromised administrator user accounts on WordPress sites are being used to install a malicious plugin that masquerades as the legitimate Wordfence plugin. This malicious plugin can create rogue admin users and disable Wordfence while maintaining the appearance of normal operations.
– Recommendations for site owners include restricting the use of common protocols to trusted IP addresses, ensuring that content management systems and plugins are up-to-date, enabling two-factor authentication, using a firewall to block bots, and enforcing additional security implementations in wp-config.php.
These takeaways provide a clear overview of the discussed threats and the recommendations for addressing them.