Dessky Snippets WordPress plugin exploited for card skimming

4 Min Read

Trains WordPress administrators. If you use the Dessky Snippets plugin in your WordPress e-stores, scan your sites for possible malicious codes. The criminal hackers have lately been abusing the Dessky snippets plugin to deploy web skimmers and steal payment information.

Dessky Snippets plugin is misused to deploy Card Skimming malware

According to a recent after from Sucuri, they found a serious security issue with the WordPress plugin Dessky Snippets. Although the issue typically does not affect the plugin’s structure, it could be maliciously exploited by threat actors.

As observed, hackers have abused the Dessky Snippets plugin to deploy card-skimming malware on target websites and steal payment information.

Dessky Snippets is a lightweight WordPress plugin that allows administrators to add custom PHP codes without the functions.php file. According to his pagethe plugin is relatively new in the field of WP plugins, with only over 200 installations.

With so few installations, the plugin doesn’t seem lucrative for carrying out large-scale attacks on WordPress sites. However, it appears that the threat actors abusing this plugin weren’t really concerned about spreading their reach. Instead, they seemed more interested in staying under the radar for a long time.

Sucuri researchers dug deeper into the plugin’s misuse and noticed the plugin’s misuse on May 11, 2024, with a concurrent increase in downloads. By analyzing the plugin code, they revealed a hidden web skimming malware. As indicated,

This malicious code is stored in the dnsp_settings option in WordPress wp_options table and is designed to change the checkout process in WooCommerce by manipulating the invoice form and injecting its own code.

Upon further analysis, the researchers discovered the two parts of the malware: one with a generic name and a fake function twentytwenty_get_post_logos(), and the other culprit that actually steals the data. This seemingly fake feature serves as a hook for woocommerce_after_checkout_billing_formand adds more fields to the checkout forms to add payment card details (which would otherwise appear on the next page). After obtaining the desired data, the code then exports it all to a third-party URL.

See also  DeNA subsidiary rebranded to Pokemon Card D Studio

To evade detection, the fake checkout overlay does not have the autofill feature enabled, to prevent the browsers from generating warnings about entering sensitive information.

Keep your sites safe with precautions

Although the exploitation of WordPress plugins, as is the case with the Dessky Snippets plugin, seems inevitable, users can still avoid the threats to a large extent by implementing security best practices.

Sucuri advises users to keep their sites up to date with the latest plugin releases, only integrate third-party scripts from trusted sources, set strong passwords for all accounts, implement web app firewalls (WAF), and perform regular site scans to execute on malicious codes.

Likewise, users visiting e-stores should also ensure the authenticity of the site and pay attention to any subtle changes in the site’s layout related to their payment information. Additionally, keeping an eye on bank statements and credit reports can also help detect malicious activity in a timely manner and prevent potential damage.

Let us know your thoughts in the comments.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *