CyberSecurity news
FlagThis - #woocommerce
|
@securityonline.info
//
A new and stealthy formjacking malware has been discovered targeting WooCommerce, the popular e-commerce plugin for WordPress. The malware discreetly steals customer payment data from legitimate checkout processes, posing a significant threat to online businesses. Unlike traditional skimmers that simply overlay payment forms, this malware integrates seamlessly into the checkout process, exfiltrating sensitive customer data without raising immediate suspicion.
This sophisticated malware injects a fake payment form into legitimate checkout pages, meticulously mimicking the design and functionality of the actual site. It captures card numbers, expiration dates, CVVs, and personal information like names and addresses. To evade detection, the malware uses the browser's localStorage to silently collect and store cardholder data, ensuring persistence and anti-forensic capabilities. The data theft is triggered when the "Place Order" button is pressed, using the navigator.sendBeacon() method to transmit data asynchronously and silently to a remote Command & Control (C2) server. The infection vector is believed to be through compromised WordPress admin accounts. Attackers inject malicious JavaScript code via plugins like Simple Custom CSS and JS, exploiting their capabilities to insert code dynamically. This allows the malware to monitor user input on checkout fields continuously, capturing data even if the purchase isn't completed. Cybersecurity experts recommend implementing robust security measures, including regular security audits, up-to-date software, and careful monitoring of third-party dependencies, to protect against such attacks.
Share:
References :
Classification:
Pierluigi Paganini@securityaffairs.com
//
A new malware campaign is targeting WordPress sites, employing a malicious plugin disguised as a security tool to trick users into installing and trusting it. This plugin, often named 'WP-antymalwary-bot.php,' provides attackers with persistent access, remote code execution, and JavaScript injection, while remaining hidden from the plugin dashboard to evade detection. The malware was first discovered in late January 2025 during a site cleanup, where a modified 'wp-cron.php' file was found, which creates and programmatically activates the malicious plugin.
Cybercriminals are specifically targeting WooCommerce users with a large-scale phishing campaign, aiming to gain backdoor access to WordPress websites. The malicious plugin appears legitimate at first glance, complete with header comments, code indentation, and professional structure. However, it contains a backdoor function that allows attackers to log in as the first administrator user by sending a crafted GET request. This allows them to gain administrative access and inject PHP code into theme files, such as header.php, via a REST API route registered without any permission checks. The malware enhances its stealth through various methods, including hiding itself from the WordPress Admin Dashboard using the 'hide_plugin_from_list' function. It also communicates with a Command & Control (C2) server, sending periodic "ping" updates to inform the attacker about its operational status. Furthermore, the malware injects malicious JavaScript ads into the site's pages using obfuscated methods and scripts retrieved from compromised external resources. Even if the plugin is deleted, the modified 'wp-cron.php' file reinstalls and reactivates it during the next site visit, ensuring persistence on a compromised site.
Share:
References :
Classification:
Pierluigi Paganini@securityaffairs.com
//
A large-scale phishing campaign is actively targeting WordPress WooCommerce users, employing deceptive tactics to compromise their websites. Cybercriminals are sending out fake security alerts, urging recipients to download a "critical patch." Unsuspecting users who fall for the scam and download the so-called patch are actually installing a malicious plugin that creates a hidden administrator account and gives attackers backdoor access to their WordPress sites. This campaign highlights the evolving sophistication of cyber threats against e-commerce platforms.
The phishing emails are designed to mimic official WooCommerce communications and often warn of a non-existent "Unauthenticated Administrative Access" vulnerability. To further deceive users, the attackers employ homograph attacks, using domain names that closely resemble the legitimate WooCommerce website but contain subtle character differences such as 'woocommėrce[.]com'. The fake patch, once installed, allows attackers to inject malicious code, redirect site visitors, or even encrypt server resources for extortion. Cybersecurity researchers advise WooCommerce users to be extremely cautious when receiving security alerts and to verify the authenticity of any patches directly through official WooCommerce channels. Users should also scan their instances for suspicious plugins or administrator accounts and ensure all software is up to date. The ultimate goal of the attackers is to gain remote control over the websites, allowing them to inject spam or sketchy ads, redirect site visitors to fraudulent sites, enlist the breached server into a botnet for carrying out DDoS attacks, and even encrypt the server resources as part of an extortion scheme.
Share:
References :
Classification:
|