Adversaries have been spotted employing swap files on compromised websites to hide a cunning credit card skimmer and collect payment information.
The covert technique, detected by Sucuri on a checkout page of a Magento e-commerce site, enabled the malicious software to persist through numerous cleanup efforts, according to the company’s statement.
The skimmer is crafted to gather all the information entered into the credit card form on the website and transfer the details to a domain under the control of the attacker named “amazon-analytic[.]com,” which was registered in February 2024.
“Notice the utilization of the brand name; this strategy of using well-known products and services in domain names is frequently adopted by malicious actors in an effort to avoid being detected,” mentioned security researcher Matt Morrow noted.
This is merely one of numerous methods employed by the threat actor to evade detection, including the deployment of swap files (“bootstrap.php-swapme”) to inject the malicious code while safeguarding the original file (“bootstrap.php”) from any malware.
“When files are directly modified through SSH, the server generates a temporary ‘swap’ version as a precaution in case the editor crashes, essentially preventing the loss of the entire content,” elucidated Morrow.
“It was apparent that the attackers were utilizing a swap file to maintain the presence of the malware on the server and circumvent conventional detection measures.”
Although it remains unclear how the initial access was gained in this instance, it is suspected to have involved the use of SSH or an alternative terminal session.
The revelation comes as compromised administrator user accounts on WordPress sites are utilized to install a malicious plugin that poses as the authentic Wordfence plugin but possesses the ability to create unauthorized administrative users, deactivate Wordfence, and create a misleading impression that everything is functioning as normal.
“For the malicious plugin to have been inserted on the website initially, the site must have already been compromised — nevertheless, this malware could certainly serve as a means of reinfection,” highlighted security researcher Ben Martin mentioned.
“The malicious code exclusively functions on pages within the WordPress admin interface containing the term ‘Wordfence’ in their URLs (Wordfence plugin configuration pages).”
Website owners are urged to confine the usage of common protocols like FTP, sFTP, and SSH to trusted IP addresses, and ensure that the content management systems and plugins are kept up-to-date.
Users are also advised to activate two-factor authentication (2FA), implement a firewall to block automated programs, and enforce additional wp-config.php security configurations such as DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS.
About Author
