A New Method To Steal
Ben Martin, a website security researcher from Sucuri discovered this new skimming malware attack on a WooCommerce site, that’s different from previously witnessed Magecart attacks. This new campaign is claimed to be targeting WordPress based e-commerce sites, which may use plug-ins like WooCommerce, Shopify, etc, to not just intercepting the payment page for details, but for more.
Malware hiding in legitimately looking files makes it harder to detect and abolish. He said, “It was lodged near the end of a JQuery file: ./wp-includes/js/jquery/jquery.js, inserted before the ending jQuery.noConflict();.” Further, several layers of encoding and concatenation were done to evade detections too.
Stealing and Storing credentials in Images!
After scraping the details from the payment page, the credentials were then stored in a plain text format as cookies. Then, it uses a
file_put_contents function to store the credentials in a.PNG or.JPEG image formats, which were set in the wp-content/uploads directory. This is a new way attacker is using to obtain scraped credentials.
Martin’s investigation later found no credentials in those images, as he believes the details could’ve already sent attacker’s domain and the malware has an auto function to clear them all when done. This sophistication isn’t seen in past attacks. He finally a way for coping with this, that’s by adding the define( ‘DISALLOW_FILE_EDIT’, true );, to your wp-config.php file: This restricts even the admin to edit files from wp-admin from the dashboard, but that’s for security.