WooCommerce is a free, open-source WordPress plugin used on more than 5 million sites and facilitates e-commerce.
This isn’t the first time WooCommerce e-shops have been involved in credit card theft attacks (also known as Magecart attacks ), according to Sanguine Security ‘s Willem de Groot. In August 2018 some hackers tried to break WooCommerce sites using the technique of brute-forcing the discovery of code access managers.
“Of course, WooCommerce and other e-commerce WordPress-based sites have been targeted by hackers in the past, but were usually limited to modifying payment details,” explained Sucuri’s Ben Martin.
“For example, hackers were promoting payments to the attacker’s PayPal email instead of the site’s legitimate account holder. What we are seeing now is something quite new. “
New card skimming approach
The attack was discovered by Martin following reports from many WordPress users and WooCommerce sites about fraudulent credit card transactions.
“As is usually the case with PHP malware, many levels of encryption are used in an attempt to prevent detection and hide the underlying code.”
The skimmer cleans its traces
Credited credit card details are stored in two image files stored in the wp-content / uploads directory.
However, as Martin discovered, the skimmer had the ability to cover his tracks, as the files were emptied when the analysis of the violated sites began.
While usually, the entry point used by attackers to infect a WooCommerce or other e-commerce site is easy to spot, this time it was not so obvious.
“It could be a compromised administrator account, an SFTP code or some vulnerable software,” Martin added.
“One thing I would recommend to anyone interested in the security of their WooCommerce or WordPress site is to disable instant file processing by adding the following line to wp-config.php,” he added.