New Magecart attacks involve the deployment of a malicious WordPress plugin that enables fraudulent admin user creation and credit card data exfiltration in e-commerce websites, The Hacker News reports.
After being installed either through a compromised admin user or plugin bug exploitation, the new plugin, which purports to be "WordPress Cache Addons" performs self-replication to the must-use plugins, or mu-plugins, directory to evade detection, establish and conceal admin user accounts, distribute the credit card stealing backdoor, and facilitate data exfiltration, according to a Sucuri report.
"Since many WordPress infections occur from compromised wp-admin administrator users it only stands to reason that they've needed to work within the constraints of the access levels that they have, and installing plugins is certainly one of the key abilities that WordPress admins possess," said Sucuri security researcher Ben Martin.
Such a report on the fraudulent WordPress plugin follows the company's discovery of a fake WordPress patch that sought to enable persistent remote access.
