Last month, a security analyst at Sucuri discovered a “rogue WordPress plugin” that enables cyber criminals to access payment data from e-commerce websites undetected. 

About the plugin

According to The Hacker News, the plugin was created by affiliates of MageCart, a cyber attack campaign executed by a variety of cybercrime groups that “employ online skimming techniques to steal personal data from websites.” Attackers added the malicious plugin to different WordPress websites using compromised administrative credentials and other “security flaws.” Once the plugin was running, users could make new administrative profiles and hide them from legitimate administrators, enabling them to “avoid raising red flags and have sustained access to the target for extended periods of time.” After gaining administrative access to a site, the attackers would then “inject credit card stealing malware in the checkout pages and exfiltrate the information” to their own databases.

How it works – and how to prevent it

Ben Martin, the analyst who first found out about the plugin recently explained exactly how the malware works: 

“The malware presents several conditions upon whether or not it will exfiltrate card details, two of which are the presence of ‘checkout’ in the URL and also whether or not the WordPress administrator bar is present (in which case it will hide itself)…

One of the more interesting features that [the malware] has is that it uses the actual image files for the credit card logos (Visa, Mastercard, etc.) from the infected website itself when it overlays the fake checkout page on top of the legitimate one… This allows it to integrate into the infected checkout page pretty much seamlessly so that there are no visual cues to the website owner that things might be ‘off’ somehow.”

And the worst part? The plugin is capable of adding itself to the directory of must-use plugins, “so that it’s automatically enabled and [then] conceals its presence from the admin panel,” making it extremely difficult to uncover and remove.

When discussing how businesses can keep their websites safe, Martin stated:

“We always recommend website owners practice the principle of least privilege and have as few administrator users as necessary! This will help reduce your attack surface. WordPress offers a variety of different user roles such as ‘Contributor’ and ‘Editor’ so as to better manage access control and security. Use them wisely! …

[I]f you operate a WooCommerce website then be sure to take extra precaution to secure your wp-admin panel, keep your website plugins and themes patched, and take as many precautions as you can to keep your ecommerce website secure!”