Hacking

A new e-skimmer found on WordPress site using the WooCommerce plugin

Experts discovered a new e-skimmer employed in MageCart attacks against WordPress websites using the WooCommerce plugin.

Experts from security firm Sucuri discovered a new e-skimmer software that is different from similar malware used in Magecart attacks. The new software skimmed was employed in attacks on the WordPress-based e-store using the WooCommerce plugin.

The e-skimmer doesn’t just intercept payment information provided by the users into the fields on a check-out page.

“Naturally, WooCommerce and other WordPress-based ecommerce websites have been targeted before, but this has typically been limited to modifications of payment details within the plugin settings.” reads the analysis published by Sucuri. “For example, forwarding payments to the attacker’s PayPal email instead of the legitimate website owner. Seeing a dedicated credit card swiping malware within WordPress is something fairly new.”

Experts initially performed a scan on the website of one client and discovered generic backdoors and other malware. Then they performed an integrity check of the core files and shed the light of a part of the infection.

Most of the injected JavaScript code was discovered near the end of a legitimate JQuery file (“./wp-includes/js/jquery/jquery.js“).

“Most JavaScript injections append the code at the very end of the file, but one quirk I noticed about this was that it was inserted before the ending jQuery.noConflict();” continues the analysis.

“It’s not so easy to see. The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect.”

The technique is different from Magecart attacks that employ e-skimmers loaded from a third-party website. 

The portion of the script that capture the card details was injected in the “./wp-includes/rest-api/class-wp-rest-api.php” file.

“As is typical in PHP malware, several layers of encoding and concatenation are employed in an attempt to avoid detection and hide its core code from the average webmaster,” continues the post.

The malicious software harvests the payment details and saves the card numbers and CVV security codes in plain text in the form of cookies. The script then uses the legitimate file_put_contents function to store them into two separate image files (a .PNG file and a JPEG) that are kept in the wp-content/uploads directory structure.

At the time of the analysis, both files were not containing any stolen data, a circumstance that suggests the malware had the ability of auto-clear the files after the information had been acquired by the attackers.

“With WooCommerce recently overtaking all other ecommerce platforms in popularity it was only a matter of time before we started seeing attackers target this platform more frequently,” continues Security.

WooCommerce said that this was the first case of this kind of WordPress-targeted card-skimming malware that he came across, but that a handful more have appeared since, and that “WordPress websites with e-commerce features and online transactions will almost certainly continue to be targeted going forward.”

In April 2019, the WordPress security firm ‘Plugin Vulnerabilities’ discovered a critical vulnerability in the WooCommerce plugin that exposed WordPress-based eCommerce websites to hack.

The vulnerability affects the WooCommerce Checkout Manager plugin that allows owners of e-commerce websites based on WordPress and running the WooCommerce plugin to customize forms on their checkout pages.

The experts discovered an “arbitrary file upload” vulnerability that can be exploited by unauthenticated, remote attackers when the websites have “Categorize Uploaded Files” option enabled within WooCommerce Checkout Manager plugin settings.

The experts from Sucuri recommend WordPress sites admins to disable direct file editing for wp-admin by adding the following line to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

“This even prevents administrator users from being able to directly edit files from the wp-admin dashboard. In the event of a compromised admin account this can make the difference between the attacker delivering their payload or not.” concludes Sucuri.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WooCommerce, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

6 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

18 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

22 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

2 days ago

This website uses cookies.