WordPress code snippet plugins that are less well-known are being exploited by unknown threat actors to install malicious PHP code on victim websites. This code can harvest credit card information from customers.

The campaign, discovered by Sucuri on May 11, 2024, involves the misuse of a WordPress plugin called Dessky Snippets, which allows users to upload their own customized PHP code. It currently has over 200 installations.

This type of attack typically exploits known vulnerabilities in WordPress plugins or uses easily guessable credentials to gain administrator access. Attackers can then install additional plugins—legitimate or otherwise—for post-exploitation purposes.

You might be interested in: Urgent update of Google Chrome to fix vulnerability.

Sucuri reported that the Dessky Snippets plugin is used to introduce server-side PHP credit card skimmer malware onto compromised websites to steal users’ financial information.

“This malicious code was saved in the ‘dnsp_settings’ option in the WordPress ‘wp_options’ table and was designed to modify the WooCommerce checkout process by manipulating the billing form and injecting its own code,” said Ben Martin, an independent security researcher.

Specifically, it adds several new fields to the billing form to collect information about credit cards, including names, addresses, card numbers, expiration dates, and Card Verification Value (CVV) numbers. This data is then exfiltrated to the URL “hxxps://2of[.]cc/wp-content/.”

An important aspect of the campaign is the deactivation of the autocomplete attribute on the billing form associated with the deceptive overlay (i.e., autocomplete=”off”).

“By manually disabling this feature on the fake checkout form, we reduce the likelihood that the browser will warn users about entering sensitive information. This ensures that the fields remain blank until manually filled out by the user, reducing suspicion and making the fields appear as regular, necessary inputs for the transaction,” Martin explained in an interview.

Threat actors have repeatedly exploited legitimate code snippet plugins for malicious purposes. For instance, one month ago, it was disclosed that the WPCode code snippet plugin had been used to insert malicious JavaScript code into WordPress websites, redirecting site visitors to VexTrio domains.

Another malware campaign known as Sign1 was discovered to have infected more than 39,000 WordPress websites over the past six months. This was achieved by using harmful JavaScript injections through the Simple Custom CSS and JS plugin, forcing visitors to fraudulent websites.

To safeguard against these threats, it is recommended that owners of WordPress websites, especially those with e-commerce capabilities, keep their websites and plugins updated, use strong passwords to fend off brute-force attacks, and regularly audit their sites for signs of malware or other unauthorized changes.