In 2020, we doubled up our research efforts to report on many new attacks and hacks that we see in the wild. We believe that being informed is a big part of having a good website security posture.
Sucuri Labs provides website malware research updates directly from our teams on the front line. Our Labs Notes are usually shorter than blog posts and they focus on a highly technical audience.
This month, our Malware Research and Incident Response teams wrote about a wide variety of topics, ranging from a COVID-19 phishing lure to Magento credit card skimmers.
Face Mask Spam Links Injected in WordPress Database
by Luke Leal
WordPress websites have been used in web spam campaigns targeting coronavirus search trends. Users are redirected to spam websites.
This spam campaign has been using increased queries for COVID-19 keywords and face masks. Spam links have been injected into the widgets section of the wp_options database.
Fake License.txt File Loaded Through PHP Include
by Luke Leal
A malicious injection of a file named license.txt, in order to deceive the webmaster, was found in a PHP include of a WordPress website.
A redirect was sending visitors to a malicious website. One way you spot these attacks is by monitoring your website files daily.
Phishing with a COVID-19 Lure
by Luke Leal
A phishing lure campaign uses COVID-19 keywords to trick victims into revealing sensitive information.
This was a malicious email campaign which targeted employees of a company by impersonating an IT help desk. Under the pretense of a staff portal, victims were pulled into a scam.
Spl_autoload Backdoor
Hackers created malware that allows to upload temporary backdoor files and execute them using the spl_autoload function
Even though this function is used to avoid malware scanners, the rest of the code would probably not go unnoticed.
Magento JavaScript Skimmer Targets Tarjetas de Crédito
by Luke Leal
A suspicious payment card form was showing up on a Magento ecommerce website.
Our researchers found out that a JavaScript injection was using a .click() event to display malicious forms on compromised Magento sites to steal credit card details.
Fake M-Shield WordPress Plugin
Our website security analyst informs us about fake WordPress plugins that hackers install on compromised sites to be able to keep their backdoors/web shells.
Even if webmasters delete the backdoors, the malicious plugins recreate them every time someone visits any page of the infected WordPress site.
Web Skimmer With a Domain Name Generator – Follow Up
Our malware researcher provides an update on the Magento web skimmer campaign that uses a dynamic domain name generating algorithm.
Another variation of that malware is found, with a set of domains pre-registered for use from March through December.
WordPress Admin Login Stealer
A WordPress admin login stealer was found injected into wp-login.php on a WordPress website.
The WordPress login stealer intercepts credentials and sends them to attackers. This WordPress malware and its variants have been distributed and used on several websites for over a year.
Tony Perez
Stephen Johnston
Denis Sinegubko
Allison Bondi