Dessky Snippets WordPress Plugin Exploited For Card Skimming Attacks

Heads up WordPress admins. If you’ve been running Dessky Snippets plugin on your WordPress e-stores, scan your sites for possible malicious codes. The criminal hackers have exploited the Dessky snippets plugin lately to deploy web skimmers and steal payment information.

Dessky Snippets Plugin Exploited To Deploy Card Skimming Malware

According to a recent post from Sucuri, they found a serious security issue with the WordPress plugin Dessky Snippets. While the issue doesn’t typically impact the plugin’s structure, it allows the threat actors to abuse it maliciously.

As observed, hackers have exploited the Dessky Snippets plugin to deploy card-skimming malware on target websites and steal payment information.

Dessky Snippets is a lightweight WordPress plugin that helps admins add custom PHP codes without editing the functions.php file. According to its WordPress.org page, the plugin is relatively new in the WP plugins realm, with over 200 installations only.

With such fewer installations, the plugin doesn’t seem lucrative for conducting large-scale attacks on WordPress sites. However, it seems the threat actors abusing this plugin weren’t really concerned about spreading their radius. Instead, they seemed more interested to stay under the radar for long.

Elaborating on the plugin abuse, Sucuri researchers noticed the plugin abuse on May 11, 2024, with a simultaneous rise in its downloads. Analyzing the plugin code made them unveil an obscured web skimming malware. As stated,

This malicious code was saved in the dnsp_settings option in the WordPress wp_options table and was designed to modify the checkout process in WooCommerce by manipulating the billing form and injecting its own code.

Dissecting further, the researchers noticed the two chunks in the malware – one with a generic name and bogus function twentytwenty_get_post_logos(), and the other culprit that actually steals the data. This seemingly bogus function serves as a hook for woocommerce_after_checkout_billing_form, and adds more fields on the checkout forms to add payment card details (which would otherwise appear on the following page). After obtaining the desired data, the code then exports it all to a third-party URL.

To evade detection, the fake checkout overlay doesn’t have the autocomplete feature enabled, so as to prevent the browsers from generating warnings about entering sensitive information.

Keep Your Sites Safe With Precautions

While WordPress plugins’ exploitation, such as the case with the Dessky Snippets plugin, seems unavoidable, users can still prevent the threats to a large extent by implementing security best practices.

Sucuri advises users to keep their sites updated with the latest plugin releases, integrate third-party scripts from trusted sources only, set up strong passwords for all accounts, deploy web app firewalls (WAF), and conduct regular site scans for malicious codes.

Likewise, users visiting e-stores should also ensure the site’s authenticity and look for any subtle changes in site layouts that relate to their payment information. Moreover, keeping an eye on bank statements and credit reports can also help detect any malicious activities in time and prevent possible damages.

Let us know your thoughts in the comments.