Hackread reports that WordPress sites have been targeted with a WordPress Core plugin-spoofing malware operation that has been exfiltrating user credentials and credit card details since September 2023.
Attackers have injected various iterations of the malware into checkout screens as part of the campaign, with more recent versions not only copying Cloudflare security checks and establishing counterfeit payment forms but also featuring Google Ads tampering and WordPress login info theft capabilities, according to a Wordfence report. "One sample inspected also included a surprisingly complete fake human verification challenge, dynamically injected as a fullscreen and multi-language screen, intended to serve both as a user deception device and as an anti-bot filter," said Wordfence researcher Paolo Tresso. Website admins have been urged to monitor attacker-linked domain names, including 'api-service-188910982.website' and 'graphiccloudcontent.com', as well as be vigilant of provided detection signatures to mitigate the threat.
Attackers have injected various iterations of the malware into checkout screens as part of the campaign, with more recent versions not only copying Cloudflare security checks and establishing counterfeit payment forms but also featuring Google Ads tampering and WordPress login info theft capabilities, according to a Wordfence report. "One sample inspected also included a surprisingly complete fake human verification challenge, dynamically injected as a fullscreen and multi-language screen, intended to serve both as a user deception device and as an anti-bot filter," said Wordfence researcher Paolo Tresso. Website admins have been urged to monitor attacker-linked domain names, including 'api-service-188910982.website' and 'graphiccloudcontent.com', as well as be vigilant of provided detection signatures to mitigate the threat.
