A rogue WordPress plugin has been discovered that can create fake administrator users and inject malicious JavaScript code to steal credit card information. This is part of a Magecart campaign targeting e-commerce websites. The plugin, disguised as ‘WordPress Cache Addons’, typically infiltrates WordPress sites via a compromised admin user or through security flaws in another installed plugin. Once installed, it replicates itself to the mu-plugins directory, enabling automatic activation and hiding from the admin panel. It can also create and hide an admin user account to maintain access to the target. The goal is to inject malware into checkout pages to steal credit card information. This disclosure follows recent warnings about a phishing campaign tricking users into installing a malicious plugin. The threat actors are leveraging the “RESERVED” status associated with a CVE identifier.

Another Magecart campaign has been discovered that uses the WebSocket protocol to insert skimmer code on online storefronts, triggered by a fake “Complete Order” button. Europol’s report highlights digital skimming as a persistent threat leading to credit card data theft, resale, and misuse. The shift from front-end to back-end malware has made detection more difficult. Europol has notified 443 online merchants of compromised customer credit card data due to skimming attacks. Group-IB detected 23 families of JS-sniffers used against companies in 17 countries, with a total of 132 JS-sniffer families known to have compromised websites worldwide by the end of 2023. Additionally, bogus ads promoting a cryptocurrency drainer named MS Drainer have been found on Google Search and Twitter. This has resulted in an estimated loss of $58.98 million from 63,210 victims since March 2023 via a network of 10,072 phishing websites.