According to Ben Martin of security company Sucuri, credit card thieves attacked WooCommerce sites with a new skimmer. Check the details of this incident.
WooCommerce is a free and open source WordPress plugin, with more than 5 million active installations, which facilitates the execution of e-commerce sites that can be used to “sell anything anywhere”.
Credit card thieves are now targeting WordPress e-commerce sites powered by WooCommerce with malware dedicated to JavaScript-based card extraction, rather than common attempts to redirect payments to attacker-controlled accounts.
Credit card thieves attack WooCommerce sites with new skimmer
This is not the first time that WooCommerce stores have been targeted by credit card theft attacks (also known as Magecart attacks), as Sanguine Security’s Willem de Groot said in August 2018 that the attackers were trying to hack online stores that ran WooCommerce by a forced administrator. passwords.
Ben Martin, from Sucuri, explained that:
“Naturally, Woocommerce and other WordPress-based e-commerce sites have been targeted before, but this is usually limited to modifying payment details in the Plug-in settings.”
“For example, forwarding payments to the attacker’s Paypal email instead of the legitimate site owner. Seeing dedicated malware when swiping your credit card on WordPress is quite new.”
New approach to skimming cards
The attack was discovered by Martin after several fraudulent reports of customer credit card transactions with e-commerce sites created using WordPress and WooCommerce.
An integrity check of all major files from the impacted electronic stores revealed the malicious files behind these reports, files that had malicious code added to the end of seemingly harmless JavaScript files.
Martin said of this:
“Javascript itself is a little difficult to understand, but one thing is clear: The infection saves your credit card number and CVV (Card Security Code, Brazilian Abbreviation) in plain text in the form of Cookies.”
“As is typical with PHP Malware, several layers of coding and concatenation are employed in an attempt to avoid detection and hide your main code from the common webmaster.”
What makes this attack even more prominent is that the threat agents behind it included the JavaScript card skimmer in the site’s main files, instead of loading it from a third-party site under their control, as they usually do .
Cleaning your own tracks
The stolen payment card information is stored in two image files saved in the wp-content / uploads directory.
However, as Martin found out even more, the credit card skimmer may have the ability to cover its own tracks, as the files were cleared before it started scanning the infected sites.
Although normally, the entry point used by attackers to infect an e-commerce site as part of a Magecart attack is simple to identify, in this case, it was not so obvious.
In Martin’s words:
“It could have been a compromised WP-ADMIN account, SFTP password, hosting password or some vulnerable software in the environment.”
“One thing I would recommend to anyone interested in the security of the WordPress site is to disable direct file editing for WP-ADMIN by adding the following line to your WP-CONFIG.PHP files: DEFINE( ‘DISALLOW_FILE_EDIT’, TRUE );.”
A dedicated credit card #skimmer targeting #WordPress? With #WooCommerce gaining popularity as an #ecommerce platform, it was only a matter of time. Learn more via @_jamsec: https://t.co/P7TwoZWDVh #websitesecurity #malware
— Sucuri Security (@sucurisecurity) April 9, 2020
Similar tactics have also been used to attack WordPress sites using Stripe for payments, with attackers employing different malicious payloads during each instance.
In October 2019, the U.S. Federal Bureau of Investigation (FBI) issued a warning about e-skimming threats directed at small and medium-sized businesses (SMBs) and government agencies that process payments online.
