Due to the increased number of plugins and components facilitating online payments and its ease of use, WordPress has become a common e-commerce platform — and the frequency in which the popular CMS is being targeted by attackers aiming to steal sensitive personal information and credit card details is also accelerating. Researchers at Sucuri recently uncovered a case where a credit card swiper had been injected into WordPress’ wp-settings.php file. The only symptom their customer reported was that images were disappearing from the WooCommerce cart almost as soon as they were uploaded. Because the include was buried deep down into the file, it was easy to miss on a casual review. Additionally, because the include itself does not follow any malware patterns, it could be missed by malware scanners looking for specific signatures. Furthermore, because the malicious file being included was located above the site directory, a cursory scan of the site files would have also missed that. Attackers often like to place malicious content out of the way so it is more difficult to detect. One tactic they use is to create directories that look like system directories, or to place malware in existing core CPanel or other server directories.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased