Observations reveal that threat actors are utilizing swap files in breached websites to mask a constant credit card skimmer and accumulate payment information.
According to Sucuri, a deceptive method was detected on the checkout page of an e-commerce site running Magento. This technique enabled malware to persist through multiple attempts at removal.
The purpose of the skimmer is to amass all credit card data from a website’s form and transmit it to an attacker’s domain, “amazon-analytic[.]com,” that was registered in February 2024.
According to security researcher Matt Morrow, the strategy of incorporating well-known products and services in domain names is frequently adopted by malicious individuals as a means of avoiding detection. It’s worth noting their reliance on brand names for this purpose.
The utilization of swap files (“bootstrap.php-swapme”) to load the harmful code while preserving the initial file’s integrity and cleanliness from malware is only one strategy among various defense evasion approaches adopted by the adversary.
Morrow explained that the server generates a temporary “swap” version when editing files through SSH to avoid losing the entire content if the editor crashes.
It became apparent that the attackers were utilizing a swap file to maintain the malware’s presence on the server and avoid conventional means of detection.
It is not currently known how access was originally obtained in this case, but there are suspicions that SSH or another terminal session may have been used.
As administrator user accounts on WordPress websites are being compromised, an alarming revelation follows. A malicious plugin disguising itself as the legitimate Wordfence is installed and poses a significant threat by enabling hackers to create unauthorized admin users while disabling Wordfence without alerting site owners.
This insidious behavior misleads victims into believing everything operates regularly when in reality, they’re at risk of cyberattacks.
According to Ben Martin
The website would have already been compromised for the malicious plugin to be installed. However, he added that this malware can act as a means of reinfection.
The harmful code solely operates on pages within the WordPress admin interface that feature URLs containing the term “Wordfence.” Specifically, these are Wordfence plugin configuration pages.
To protect their sites, owners are recommended to limit the usage of widely-used protocols such as FTP, sFTP and SSH only for trusted IP locations. Moreover, they should confirm that all content management systems and plugins have been updated accordingly.
It is recommended that users enable two-factor authentication (2FA), utilize a firewall to prevent bots, and implement additional security measures in wp-config.php like DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS
