Risk actors have been uncovered using exchange files in infiltrated websites to hide an ongoing credit card scraper and capture payment data.
The devious method, witnessed by Sucuri on a Magento e-commerce website’s purchase page, enabled the malicious software to persist through several cleanup efforts, according to the organization.
The scraper is created to gather all data entered into the credit card form on the site and send the details to a domain controlled by the attacker named “amazon-analytic[.]com,” which was established in February 2024.
“Observe the utilization of the brand name; this strategy of leveraging trendy products and services in domain titles is regularly used by malicious individuals in an effort to avoid detection,” cybersecurity analyst Matt Morrow stated.
This is solely one of numerous methods used by the threat actor to elude defenses, including the employment of exchange files (“bootstrap.php-swapme”) to inject the malicious code while preserving the original file (“bootstrap.php”) uninfected and clean.
“Whenever files are modified directly via SSH the server generates a temporary ‘exchange’ version as a precaution in case the editor crashes, which prevents the loss of the entire content,” Morrow elaborated.
“It became clear that the attackers were leveraging an exchange file to retain the malware on the server and avoid standard detection methods.”
Although the initial access method in this scenario remains uncertain at present, it is believed to have involved SSH or some different terminal session.
The exposure happens as compromised administrator user accounts on WordPress sites are being utilized to deploy a deceitful plugin that pretends to be the authentic Wordfence plugin, but possesses the ability to generate unauthorized admin users and deactivate Wordfence while giving the impression that everything is functioning correctly.
“For the harmful plugin to have been positioned on the site initially, the site would have already been compromised — this malware could absolutely function as a reinfection avenue,” cybersecurity analyst Ben Martin remarked.
“The harmful code exclusively functions on WordPress admin interface pages containing the term ‘Wordfence’ in their URLs (Wordfence plugin configuration pages).”
Website owners are advised to restrict the usage of common protocols such as FTP, sFTP, and SSH solely to trusted IP addresses, as well as guaranteeing that the content management systems and plugins are up-to-date.
Users are also encouraged to implement two-factor authentication (2FA), deploy a firewall to block bots, and enforce additional wp-config.php safety configurations like DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS.
About Author
