A recent cybersecurity breach has highlighted the dangers of using obscure plugins on WordPress websites. Hackers have exploited the Dessky Snippets plugin, a relatively unknown tool with only a few hundred active installations, to inject malicious PHP code into websites. This code specifically targeted WooCommerce stores, compromising the checkout process and enabling the theft of customers’ credit card information. The attack was first identified by cybersecurity analyst Conrado Torquato after reports of stolen credit card data surfaced, prompting a detailed investigation by Sucuri.
The attack, which occurred on May 11, 2024, involved sophisticated techniques to evade detection. The malicious code was cleverly hidden beneath several blank lines in the plugin’s code, making it difficult for website owners to spot. The code modified the billing form during the checkout process, adding new fields to capture credit card details and send them to a third-party URL. The malware used a bogus function named twentytwenty_get_post_logos as a hook to the WooCommerce woocommerce_after_checkout_billing_form hook, tricking users into entering their sensitive information.
To evade detection, the fake checkout overlay fields were set with autocomplete=”off,” preventing browsers from warning users about entering sensitive information. This sophisticated evasion technique made the fields appear as legitimate inputs, allowing the malware to operate undetected for a significant period. The second chunk of code monitored POST data for specific parameters related to the injected form fields and sent the captured credit card information to a third-party URL. This breach underscores the persistent threat posed by cybercriminals and the need for robust security measures.
To protect against such attacks, e-commerce websites are urged to implement several security measures. These include keeping all software, including CMS, plugins, themes, and third-party components, regularly updated to patch vulnerabilities. Additionally, using strong, unique passwords for all accounts, selecting trusted scripts from reputable sources, and avoiding unnecessary third-party scripts are essential. Monitoring sites for signs of malware, unauthorized changes, or any indicators of compromise, and implementing a web application firewall to block malicious bots and virtually patch known vulnerabilities can further enhance security. Establishing a Content Security Policy (CSP) to protect against clickjacking, cross-site scripting (XSS), and other threats is also recommended.
Reference:
