Threat actors have been observed using spam files on compromised websites to hide a persistent credit card skimmer and collect payment information.
A sneaky technique Sucuri spotted on the checkout page of e-commerce site Magento allowed the malware to survive multiple cleaning attempts, the company said.
The skimmer is designed to collect all credit card form data on a website and transmit the details to an attacker-controlled domain called “amazon-analytic(.)com”, which was registered in February 2024.
“Note the use of the brand name; this tactic of using popular products and services in domain names is often used by criminals in an attempt to avoid detection.” — Security researcher Matt Morrow said.
This is just one of many evasion techniques used by the threat actor, which also includes using swap files (“bootstrap.php-swapme”) to download malicious code while keeping the original file (“bootstrap.php”) intact and free malware.
“When files are edited directly via SSH, the server will create a temporary swap version in case the editor crashes, preventing the loss of all content,” Morov explained.
“It became clear that the attackers used the swap file to store the malware on the server and evade normal detection methods.”
While it is currently unclear how the initial access was gained in this case, it is suspected that it involved the use of SSH or another terminal session.
The disclosure comes as compromised admin accounts on WordPress sites are being used to install a malicious plugin that pretends to be a legitimate Wordfence plugin, but comes with the ability to create rogue admin users and disable Wordfence, giving the false impression that everything works as expected.
“For a malicious plugin to be hosted on a website, the website would have to have already been compromised — but this malware can certainly serve as a re-infection vector,” security researcher Ben Martin said.
“The malicious code only works on WordPress admin pages whose URL contains the word ‘Wordfence’ (Wordfence plugin configuration pages).”
Site owners are advised to limit the use of common protocols such as FTP, sFTP, and SSH to trusted IP addresses, and to ensure that content management systems and plugins are updated.
Users are also advised to enable two-factor authentication (2FA), use a firewall to block bots, and apply additional wp-config.php security implementation such as DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS.
