A recently discovered WordPress credit card skimmer malware was found to be hidden as a table entry in a compromised website’s database, making it difficult to detect using traditional methods, Sucuri researchers described in a blog post last week.
The obfuscated JavaScript code was found in the wp_options table, where it was set as the option_value, with the option_name being set to widget_block. An HTML block widget containing the malicious code was then found through the WordPress admin panel under wp-admin > widgets.
This database injection enables the malicious code to exist quietly on the site, going unnoticed by file-scanning security tools, the Sucuri researchers noted. Once this code is in place, it waits for the user to move to a payment process on the site, where it then activates to steal information including credit card numbers, expiration dates, CVV numbers and billing information.
Dynamic WordPress card skimmer uses multiple methods to steal data
The malicious script only activates when it detects that the page URL contains the word “checkout,” while excluding URLs that include the word “cart,” in order to ensure that it only activates when the user expects to submit their payment information.
One method it uses to grab the information is to dynamically create its own fake payment form that imitates trusted payment services like Stripe, according to Sucuri. However, if a legitimate payment form is already present, the script can also capture data entered into the legitimate form fields in real time.
Once the data is collected, it is encoded with a combination of base64 and AES-CBC in order to hide its nature before it is exfiltrated to the attacker’s server. The exfiltration process is completed through the navitagor.sendBeacon function, which allows it to be transmitted without interrupting the user’s browsing experience, the Sucuri researchers explained.
Sucuri identified two domains used by the attackers to receive data from the compromised site where the code was located. They also identified two WordPress sites infected with the same code.
How to detect, prevent WordPress database injection
WordPress security scanners can more easily detect malware when it is present in theme files or plugins, while database entries and malicious block widgets may be more difficult to discover. WordPress site administrators can check for and remove this malicious code by navigating to wp-admin > Appearance > Widgets and looking for suspicious Custom HTML block widgets containing <script> tags, the Sucuri blog post explains.
An attacker would first need to compromise the WordPress to inject the malicious code into the wp_options table, emphasizing the importance of securing WordPress sites against intrusion through vulnerabilities or compromised credentials.
Sucuri recommends regularly updating plugins and themes, which are frequently targeted by attackers in campaigns seeking to hijack sites and steal sensitive information. Deploying a web application firewall (WAF) can also protect WordPress sites from such threats.
WordPress admins should also use strong credentials and two-factor authentication to protect their accounts from unauthorized access to the wp-admin panel.
