Card skimming attacks are often targeted on e-commerce websites for credentials. But, they all have few things in common that detect the breach easily. This could be planting the code at the same spots, or similar code seen in other attacks like Magecart or taking the user to a different payment site. But thereโ€™s a group of skimmers who are actively attacking the WooCommerceย WordPress plug-in, by manipulating JavaScript code deeply and unseen by regular scans.

A New Method To Steal

Ben Martin,ย a website security researcher fromย Sucuriย discovered this new skimming malware attack on a WooCommerce site, thatโ€™s different from previously witnessedย Magecart attacks. This new campaign is claimed to be targeting WordPress based e-commerce sites, which may use plug-ins like WooCommerce, Shopify, etc, to not just intercepting the payment page for details, but for more.

Attackers here are not like general Magecart gangs in past, who either modify the payment page as a fake one or direct users to pay to a fake PayPal email address instead of original owners. Attackers here manipulating the basic JavaScript file thatโ€™s used for website cause! Thus, initial general scans by Martin didnโ€™t work, and this was found only after deep integrity checks.

WordPress: New Skimming Malware Exploits WooCommerce Plugin
WordPress: New Skimming Malware Exploits WooCommerce Plugin

Malware hiding in legitimately looking files makes it harder to detect and abolish. He said,ย โ€œIt was lodged near the end of aย JQuery file: ./wp-includes/js/jquery/jquery.js, inserted before the endingย jQuery.noConflict();.โ€ย Further, several layers of encoding and concatenation were done to evade detections too.

Stealing and Storing credentials in Images!

After scraping the details from the payment page, the credentials were then stored in a plain text format as cookies. Then, it uses a

file_put_contentsย function to store the credentials in a.PNGย or.JPEGย image formats, which were set in the wp-content/uploads directory. This is a new way attacker is using to obtain scraped credentials.

Martinโ€™s investigation later found no credentials in those images, as he believes the details couldโ€™ve already sent attackerโ€™s domain and the malware has an auto function to clear them all when done. This sophistication isnโ€™t seen in past attacks. He finally a way for coping with this, thatโ€™s by adding theย define( โ€˜DISALLOW_FILE_EDITโ€™, true );,ย to yourย wp-config.php file:ย This restricts even the admin to edit files from wp-admin from the dashboard, but thatโ€™s for security.

Via:ย ThreatPost Source:ย Sucuri Blog

LEAVE A REPLY

Please enter your comment!
Please enter your name here