Credit Card Skimming via WordPress

May 29 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s hacked off with cyber-insecurity and is MAD AS HELL AND ISN’T GONNA TAKE IT ANYMORE 😈😈😈

Today’s hottest cybersecurity news stories:

  • 🗞️ WordPressed plugin hijacked for ecommerce credit card data 💳

  • 🐱 CatDDoS Botnet & DNSBomb DDoS attacks: Meow do they work ❓

  • 🌐 Industrial Control Systems (ICS) shook by latest Ransomhub attacks ⚔️

WordPressed and CreditCrunched 💀💀💀

Credit Card Snl GIF by Saturday Night Live

Gif by snl on Giphy

🚨 WordPress Plugin Alert: Credit Card Skimming 💳

Unknown threat actors are exploiting WordPress code snippet plugins to inject malicious PHP code into sites, stealing credit card data.

Plugin in Focus 🔍

  • Affected Plugin: Dessky Snippets

  • Active Installations: Over 200

  • First Observed: May 11, 2024, by Sucuri

Attack Method ⚙️

The attackers leverage vulnerabilities in WordPress plugins or use easily guessable credentials to gain admin access. They then insert a server-side PHP credit card skimmer into the Dessky Snippets plugin, targeting WooCommerce checkout processes.

How It Works 🛠️

The malicious code, saved in the dnsp_settings option of the WordPress wp_options table, modifies the billing form to capture credit card details:

  • Data Captured: Names, addresses, credit card numbers, expiry dates, and CVV numbers

  • Data Exfiltration URL: hxxps://2of[.]cc/wp-content/

  • Form Manipulation: Adds new fields and disables the autocomplete feature to avoid browser warnings and ensure fields appear necessary.

Previous Similar Attacks 🗂️

This isn't the first time code snippet plugins have been abused:

WPCode Plugin: Used to inject malicious JavaScript and redirect visitors to VexTrio domains.

Simple Custom CSS and JS Plugin: Used in the Sign1 malware campaign, redirecting users from over 39,000 sites to scam pages.

Top Tips 🛡️

  • Update Regularly: Keep WordPress sites and plugins up-to-date.

  • Strong Passwords: Use robust passwords to prevent brute-force attacks.

  • Regular Audits: Check sites frequently for malware or unauthorised changes.

Stay vigilant and secure your WordPress sites against these evolving threats!

Hackers: Can we bot it? DDS we can 😬😬😬

🚨 CatDDoS Botnet Exploits Over 80 Flaws ⚠️

The CatDDoS malware botnet has exploited over 80 security vulnerabilities in various software over the past three months, turning vulnerable devices into a botnet for DDoS attacks.

Attack Details 🕵️

  • Active Period: Last three months.

  • Vulnerable Devices: Routers, networking gear, and other devices from vendors like Apache, Cisco, D-Link, DrayTek, Huawei, NETGEAR, Seagate, SonicWall, TP-Link, ZTE, Zyxel, and more.

  • Targets: Up to 300+ per day.

Botnet Capabilities ⚙️

First documented in late 2023, CatDDoS is a Mirai botnet variant capable of DDoS attacks using UDP, TCP, and other methods. It encrypts communications using the ChaCha20 algorithm and uses OpenNIC domains for C2 to evade detection.

Global Impact 🌐

Primary targets are in China, followed by the U.S., Japan, Singapore, France, Canada, the U.K., Bulgaria, Germany, the Netherlands, and India. Affected sectors include cloud services, education, scientific research, public administration, and more.

Botnet Evolution 🔄

The malware emerged in August 2023, with cat-related references like "catddos.pirate" and "password_meow" for C2 domains. After the original authors shut down operations in December 2023, the source code was sold, leading to new variants like RebirthLTD, Komaru, and Cecilio Network.

New DDoS Technique: DNSBomb 💣

Researchers have unveiled a potent "pulsing" DDoS attack called DNSBomb (CVE-2024-33655), which exploits DNS features to amplify attacks by 20,000x. This technique uses IP-spoofing and timed bursts of DNS responses to overwhelm systems.

Key Findings from DNSBomb 📊

  • Amplification Factor: 20,000x.

  • Attack Method: Aggregates DNS queries into large bursts of responses.

  • Vulnerable Systems: Targeted via maliciously designed authority and vulnerable recursive resolvers.

The attack strategy involves spoofing DNS queries and withholding responses to aggregate multiple replies, creating periodic bursts of amplified traffic that are hard to detect.

Mitigations and Recommendations 💡

The Internet Systems Consortium (ISC) confirms that the BIND software suite is not vulnerable to DNSBomb. Existing mitigations are effective against such attacks.

Top Tips 🛡️

  • Regular Updates: Keep all software and devices up-to-date.

  • Monitor Traffic: Watch for unusual traffic patterns.

  • Strengthen Security: Use robust security measures and protocols to defend against potential exploits.

Stay vigilant and safeguard your systems against these evolving threats!

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with! 🚀 Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." 🤓💡 That’s us, alright! 🤵 How about you? Visionary AI executive, much? 👀

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business 🤖👩‍💻🌐

Rest assured, the process is very straightforward.

You simply:

🆕 Sign Up & Create Campaign

📊 Define your audience, budget, and message to captivate your audience.

🚀 Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

🕵️ Finally, you leverage real-time analytics to track performance and refine future strategies. 📈 Elevate your marketing game and stay informed with! 🌟 Simples! 🦦 📰🏊🤖 may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters 😉

What’s this ransomwarehubbub?? 🙃🙃🙃

🚨 Ransomhub Ransomware Attack on Spanish Bioenergy Plant ⚡

A ransomware attack by the Ransomhub group has compromised the Industrial Control Systems (ICS) of a Spanish bioenergy plant, highlighting the critical vulnerabilities of such systems to cyberattacks.

Attack Overview 🕵️

  • Target: Supervisory Control and Data Acquisition (SCADA) system at the Spanish facility.

  • Impact: Over 400 GB of data encrypted and persistent control over SCADA systems.

Ransomhub's Modus Operandi ⚙️

The Ransomhub group emerged as a Ransomware-as-a-Service (RaaS) in February 2024. Their operations involve:

  • Data Encryption: Encrypting vital data.

  • SCADA Disruption: Leveraging access to disrupt essential functions.

  • Target Sectors: Predominantly IT & ITES in the United States.

Strategic Shift to ICS Targets 🎯

  • Recruitment and Affiliations: Aggressive recruitment of affiliates and alliances with Initial Access Brokers (IABs) on Russian-language forums.

  • Focus on OT Environments: Exploiting vulnerabilities in Operational Technology (OT) environments for maximum impact.

Recommendations for ICS Security 🛡️

The Ransomhub attack underscores the urgent need for robust cybersecurity measures. Key recommendations include:

  • Network Segmentation: Implement robust network segmentation to limit exposure to external threats.

  • Patch Management: Ensure regular software updates and patch management protocols.

  • Secure Remote Access: Utilise Virtual Private Networks (VPNs) for secure remote access and monitor network logs diligently.

  • Asset Management: Maintain detailed inventories of OT/IT assets and deploy continuous monitoring solutions.

  •  Incident Response Plans: Develop and regularly test incident response plans to minimise downtime and data loss during an attack.

Key Findings from CRIL's Investigation 📊

  • Origins: Ransomhub emerged in February 2024.

  • Encryption Techniques: Uses sophisticated encryption techniques.

  • Notoriety: Quickly gained notoriety in cybercrime forums.

  • Targets: Focuses on IT & ITES sectors, mainly in the U.S.

  • Affiliations: Has ties with IABs on Russian-language forums, indicating a sophisticated network for obtaining compromised access.

Global Impact 🌐

  • Major Targets: Besides Spain, Ransomhub's ransomware campaigns have impacted various sectors in the U.S. and beyond.

  • Sector Focus: IT & ITES sectors are primary targets, but the shift towards ICS environments indicates broader ambitions.

Top Tips 🛡️

To safeguard ICS environments from ransomware attacks, organisations must:

  • Enhance Security Posture: Implement proactive security measures and heighten awareness.

  • Early Detection: Invest in early detection and response mechanisms.

  • Protect Critical Infrastructure: Focus on protecting critical infrastructure from online cyber threats.

The incident involving Ransomhub is a stark reminder of the escalating risks faced by ICS environments. Proactive cybersecurity measures are essential to mitigate these threats and protect vital infrastructure from cyberattacks.

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵 Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈 Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles