Credit card swipers are more often than not found inside online and brick and mortar retail point of sale systems, but a newer version has been targeting WordPress sites that use the WooCommerce plugin.
WordPress sites using WooCommerce have been attacked before, but not with card swipers. Instead attackers focused on redirecting payments from the intended recipient to their bank account. This time around Sucuri researcher Ben Martin found some malicious JavaScript tacked on to the end of a string of legitimate malware that collected payment card details including number and CVV in plaintext in the form of a cookie.
“The malware utilizes the file_put_contents function to dump the details into two separate image files (one .png and one .jpg) within the wp-content/uploads directory structure,” Martin said, adding he has only spotted a few instances of this type of attack so far.
At this time Sucuri has not determined exactly how the criminals were able to gain entry to the WordPress site, but the security firm had a few hypothesis saying it could be a compromised wp-admin account, SFTP password, hosting password, or some piece of vulnerable software in the environment.
To counter the possibility that entry was made through a compromised account Martin recommends disable direct file editing for wp-admin by adding the following line to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true ); although taking this action even prevents admin users from being able to directly edit files from the wp-admin dashboard.