Card skimming attacks are often targeted on e-commerce websites for credentials. But, they all have few things in common that detect the breach easily. This could be planting the code at the same spots, or similar code seen in other attacks like Magecart or taking the user to a different payment site. But there’s a group of skimmers who are actively attacking the WooCommerce WordPress plug-in, by manipulating JavaScript code deeply and unseen by regular scans.
A New Method To Steal
Ben Martin, a website security researcher from Sucuri discovered this new skimming malware attack on a WooCommerce site, that’s different from previously witnessed Magecart attacks. This new campaign is claimed to be targeting WordPress based e-commerce sites, which may use plug-ins like WooCommerce, Shopify, etc, to not just intercepting the payment page for details, but for more.
Attackers here are not like general Magecart gangs in past, who either modify the payment page as a fake one or direct users to pay to a fake PayPal email address instead of original owners. Attackers here manipulating the basic JavaScript file that’s used for website cause! Thus, initial general scans by Martin didn’t work, and this was found only after deep integrity checks.
Malware hiding in legitimately looking files makes it harder to detect and abolish. He said, “It was lodged near the end of a JQuery file: ./wp-includes/js/jquery/jquery.js, inserted before the ending jQuery.noConflict();.” Further, several layers of encoding and concatenation were done to evade detections too.
Stealing and Storing credentials in Images!
After scraping the details from the payment page, the credentials were then stored in a plain text format as cookies. Then, it uses a
file_put_contents function to store the credentials in a.PNG or.JPEG image formats, which were set in the wp-content/uploads directory. This is a new way attacker is using to obtain scraped credentials.
Martin’s investigation later found no credentials in those images, as he believes the details could’ve already sent attacker’s domain and the malware has an auto function to clear them all when done. This sophistication isn’t seen in past attacks. He finally a way for coping with this, that’s by adding the define( ‘DISALLOW_FILE_EDIT’, true );, to your wp-config.php file: This restricts even the admin to edit files from wp-admin from the dashboard, but that’s for security.
Via: ThreatPost Source: Sucuri Blog