Malicious Code Injection WordPress ? “Banco De Oro” Hack

Malicious Code Injection WordPress ? Banco De Oro Hack

Malicious Code Injection WordPress

? “Banco De Oro Hack” ?

In today’s information age, the security of your WordPress website can be a risk if you are dealing in an online business. Technology has changed the things. There are several ways in which someone can steal your private information further leading to financial loss. 

A hacker needs only a minute to breach your credit card info. Who is unaware of the massive data breach at Uber (the popular cab hailing service) in 2016? The criminals have hacked, phished and skimmed their way into data systems, compromising the credit card information of millions of consumers.

What is “Banco de oro” Code Injection Hack in WordPress?

Banco de Oro (BDO), legally known as BDO Unibank, Inc., is a Philippine banking company based in Makati. 

Banco De Oro Hack is a type of WordPress malicious code injection hack ? in which a folder named “Banco de oro” is inserted in the public_html folder. The public_html is the folder where you put all website files that you’d like to appear when someone types your main domain. 

So, when a folder named “banco de oro” containing malicious code is injected in your public_html folder, the hacker attempts to get all the private information of the user like name, email, credit or debit card info, security pin and thus make an unauthorized activity using the card. These acts can results as abusing website and thus, harm the website’s reputation and losing its potential leads.

SQL Code Injection ? Accounts For 39% of Attacks

Basically Banco De Oro Hack is a kind of SQL code injection attack to steal financial information of users.

An SQL injection attack is one of the most frequently occurring web hacks prevalent today, wherein an attacker uses web page inputs to insert a malicious code in SQL statements. It usually occurs when a web page asks for user input like username/userid. The attacker uses this opportunity to insert a SQL statement which ends up running on your database without your knowledge.


It is a widely exploited technique used by hackers. See graph below. It accounts for 39% of attacks.

SQL Code Injection Accounts For 39% of Attacks 

Basic Workflow  ?

sql code injection wordpress hack

How Malicious Code Injection Hack Work in WordPress

The causes behind the code injection hack that targeted the “Banco de Oro” website running on the WordPress platform. By examining the key factors that contributed to the vulnerability, we can gain insights into the weaknesses that were exploited, enabling the malicious code injection attack to occur.

Outdated WordPress Core or Plugins

One possible cause of the code injection hack is the presence of outdated WordPress core files or plugins. If the website administrators failed to regularly update WordPress and its associated components, it could have left the site vulnerable to known security exploits. Hackers often exploit these vulnerabilities to inject malicious code into a website.

Unvalidated User Input

A common cause of code injection attacks is the absence of proper input validation and sanitization. If the website’s code allowed user input without performing adequate checks, attackers could inject malicious code through input fields, such as comment sections or contact forms. This lack of validation opens the door for unauthorized code execution and manipulation.

Insufficient Server-Side Security Measures

Inadequate server-side security measures can also contribute to code injection attacks. If the web server hosting the “Banco de Oro” website had weak access controls, misconfigured permissions, or improper file upload restrictions, hackers could exploit these weaknesses to upload and execute malicious code on the server, eventually affecting the WordPress site.

Cross-Site Scripting (XSS) Vulnerabilities

Cross-Site Scripting vulnerabilities, if present in the WordPress installation, could have provided an entry point for the code injection attack. XSS vulnerabilities occur when the website fails to properly sanitize and escape user-supplied input, enabling attackers to inject malicious scripts that execute in the context of other users’ browsers. Once executed, these scripts can manipulate the website’s content or steal sensitive data.

Server-Side Request Forgery (SSRF) Vulnerability

A WordPress ssrf vulnerability, as mentioned earlier, could have played a role in the code injection hack. SSRF occurs when an application allows attackers to make requests to internal resources or sensitive endpoints. If the “Banco de Oro” WordPress site had an SSRF vulnerability, it would have enabled the attacker to fetch and inject malicious code into the website, potentially leading to code execution.

Inadequate Security Testing and Auditing

Insufficient security testing and auditing practices can also contribute to code injection attacks. If the website’s administrators did not conduct regular security assessments, penetration testing, or code reviews, it becomes more likely that vulnerabilities will go unnoticed and unaddressed. These oversights create opportunities for attackers to exploit weaknesses in the system.

What hackers can do with your financial data, once get it?

This is a common question: what happens to your data after a hacker stole it? Understanding the workings of an attacker’s post-hacking routine is not only interesting, but it can also help you minimize damage if your data is stolen.

Note: the following is a general overview of the most common steps an attacker uses to monetize stolen information.

Once an attack has taken place and the criminal has your data, he or she will probably go through the following steps, which we like to call “hacker offence checklist:”. 

  • Look for the right things – Hackers will then inventory the credentials and look for potentially lucrative accounts. Government and military addresses are invaluable, as are the e-mail addresses and passwords of large corporations. Because users often re-use passwords, hackers can often use military or enterprise account credentials to target other businesses. For example, Dropbox was the victim of a violation in 2012 using stolen credentials in the LinkedIn data breach earlier that year. A hacker can himself plan such hacking or sell the credentials to third parties on the dark web at a much higher price.
  • Sell ​​Private Information – Next, the hacker will collect all personal information such as names, addresses, phone numbers and email addresses, and will generally sell them wholesale. These are the most precious newer they are. According to Quartz, a complete set of personal information, including ID number, address, date of birth and possibly credit card information, costs between $ 1 and $ 450 and support, support, $ 21.35.
  • Stolen Data Inventory – Hackers will look in the stolen data files for authentication credentials, personal information such as names, addresses and phone numbers, as well as financial information such as credit card details.
  • Sell ​​in bulk – The hacker will gather authentication information and sell it in bulk at a reduced price. To date, most references are useless since the company has most likely discovered the flaw and taken steps to fix it. For example, a database containing the full dump of LinkedIn credentials is still available.
  • Unload Cards – Financial information such as credit card numbers are bundled and sold. A person with the appropriate knowledge could easily buy credit card information in groups of ten or a hundred. Usually, a “broker” buys information about the card and then sells it to a “carder” who makes a shopping game to avoid detection. First, “carders” use a stolen credit card to purchase gift cards at stores or, and then use these cards to purchase physical items. The carder can then sell the electronic components via legitimate channels such as eBay or via an obscure and underground website. To learn more about the process of monetizing stolen credit card data, click here.

Examples Of Financial Malicious Code Injection Attacks

British Airways hacked as 380,000 sets of payment details stolen

British Airways revealed that hackers stole customer data from the official website and mobile application at the height of the summer season.

Personal and financial information concerning 380,000 passengers was stolen, but this information did not concern passports. BA had solved the infringement, contacted the customers and informed the authorities, including the UK’s Commissioner’s Office. 

Hackers steal credit card details from hotel booking sites

It has been reported that holidaymakers have been warned that their credit card details may have been stolen after hacking the software used to process online bookings.

Luxury hotel chains are telling their customers that their personal and financial information may have been stolen after the Paris software company Fastbooking was the victim of a violation on June 14th.

The impact of these data thieves is hard to measure because the value of many of the relevant data has yet to be taken into account, In many cases, hackers were inside these networks for months or years. So it is better to scan your website frequently to prevent yourself. 

How To Check If Your Site Is A Victim Of banco de oro Hack?

While cleaning up website for one of our clients, we found some malicious code injected in every “index.php” file  The content displayed: 


            echo “Get Lost!”


So, if you find any objectionable piece of content in your core index file, it means your website is attempted for hack. 

How does “Banco de oro” Hack Works?

In this type of WordPress hack, your WordPress website will be injected with a new folder names “Banco de oro”. This folder executes the code for registration form. This registration form asks all the sensitive information from the user. For instance – username, password, email address, credit or debit card, security pin.  

In screenshot 1, this is the get lost code available in the function.php file exploited by the hackers to add his own url. 

Screenshot 1 - Malicious Code Injection WordPress - Banco De Oro Hack

In screenshot 2 you can see how hacker added the similar to the unibank URL within the malicious script. He has created these links to clone the vulnerable web pages of the bank. 

Screenshot 2 - BancoDeOro malicious code injection in WordPress website

In screenshot 3 you can see the confidential user information which the hacker has extracted by using the malicious code(form) injected, as seen in the previous screenshot.

Screenshot - Banco De Oro Hack

In screenshot 4, it shows the location of index.php exploited by the hacker.

Banco De Oro Hack - index.php exploited by the hacker

In screenshot 5, here you can view the original page which was injected in index .php file to collect the sensitive financial user information.

When a user fills out this form, all the information is saved and shared with the hacker.  The hacker can ruin your name by using this financial information for obtrusive purposes. Moreover, the hacker can break into your website and access any type of permission to make undesirable changes to your website.

How To Fix “Banco de oro Hack” Malicious Code Injection in WordPress?

Hackers have come up with a new way to steal the customer payment information when any transaction is made using a credit card for an online purchase via Banco de oro hack.

Your credit card information can be stolen right under your nose without your credit card ever leaving your possession.

Unfortunately, most victims of such type of credit card theft are unaware of this until after the card has already been used. Often, fraudulent credit card charges are the first sign that credit card information has been stolen. 

Follow these steps to remove this hack: 

  1. First and foremost, create backup of your wordpress database manually. Either you can create backup manually or you can use backup plugins.
  2. Once backed, try to find if there is any folder named ”Banco de oro” in your public_html directory.
  3. Quarantine your site is to edit your .htaccess file and allow access only from your own IP address. Use the following two lines (they work on Apache based servers):

    Replace IP_ADDRESS with your own IP address.

  4. You can access this root folder from File Manager
  5. login to your cPanel.
  6. Now, click on “File Manager” under “Files”. A pop-up box entitled “File Manager Directory Selection” will appear.
  7. Select Web Root (public_html/www) and then click “Go” at the bottom.
  8. Now find the folder in your public_html directory by typing :
find . -type d -name "*bancodeoro*"
  • Now that you have information about malware locations, you can remove the folder from WordPress and restore your website to a clean state. Also, if you see any unknown folders, remove all of them. 

Post Clean Up Steps: Keeping your financial data safe

If you are a WordPress website owner dealing in merchandise of products or make any online business, it is very important to secure the transactions otherwise it may turn into a devastating nightmare. Here are some steps to protect the privacy of your WordPress website:

  • Keep your WordPress up-to-date with the latest WordPress versions.
  • Keep your WordPress plugins and themes updated.
  • Always keep regular or weekly backups of your WordPress installations.
  • Keep a strong and hard-to-guess password for admin panel.
  • Remove all outdated plugins and themes as they are loopholes for malware injections.
  • Monitor your website for any undesirable changes. Most of the times a hack isn’t detected until and unless the website is flagged by Google for suspicious activities.
  • Scan php files for malicious code online to find malicious payloads and malware locations.  
  • Input validation incorporates the use of two approaches to defend against an SQL code injection: blacklisting and whitelisting. Blacklisting involves removal or replacement of known malicious characters from user input.
  • Secured SQL statements

Free Online WordPress Malware Scanner

To check if this file is present on your site, simply run a scan above. It will provide you with a report of malware checking, blacklist checking for key signs of malware, such as sending spam, website defacement etc. This tool scans your for WordPress Malware Redirects, WordPress Arbitrary File Deletion Vulnerability, PHP Web Shells, WordPress Vulnerabilities, or WordPress backdoors, and notifies you. Head to our site cleaning page and let the experts on our Security Services Team handle it for you.

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)