a customer making a contactless card payment on a terminal in a small retail shop.

Credit card stealer found implanted in random plugins

Stealing credit card details online often doesn’t take a great deal of sophistication, so it’s no surprise it remains the favoured approach of many a cybercriminal. In many cases, cybercriminals don’t even need to resort to phishing or any other type of popular scam – they can just go right ahead and steal your details from places you legitimately use them.

Recently, researchers from cloud security provider Sucuri discovered an active campaign exploiting WordPress plugins on e-commerce platforms to steal credit card details from unwitting customers.

Sucuri said the issue – which it covers in detail in this blog post – saw hackers looking to infect WordPress plugins with malware and other programs as a means of harvesting customer credit card details. Sucuri said it became aware of the issue after an e-commerce platform got in touch for help after several customers complained to them about “unauthorised activity” on their cards.

The security firm found that, rather than malware running as a script on infected web pages, as is often the case, it was running in plugins within the website’s backend. However, the malware code itself seemed harmless, so an enormous number of businesses and their customers could potentially have been at risk for a significant amount of time. It was only upon thorough inspection that Sucuri’s team was able to identify the malicious code.

In its blog discussing the issue, Sucuri said: “Most credit card skimmers that we come across are heavily encoded and use complicated obfuscation techniques and are usually fairly easy to spot once you see them. Not so in this case. All we see here is what appears to be normal plugin code referencing thumbnails and comments.”

What can consumers do to stay safe?

Due to the nature of the malware used in these campaigns, it’s unlikely you can do anything to prevent your details from being stolen in the first place.

This means that you need to ensure that your second lines of defence are in order. Ensure you set up some form of two-factor authentication (2FA) for your cards, such as receiving one-time passcodes whenever you want to use them online. This may seem annoying at first, but spending a few seconds getting a passcode from your phone is better than 45 minutes on the phone to your card provider going through your transactions and dealing with potential fraud!

Get in Touch

Fill in the form below to tell us your details, and we’ll get started.