Hackers target WooCommerce sites with a special JavaScript-based card-skimmer malware, which allows credit card data to be stolen without having to redirect payments to accounts controlled by hackers.

WooCommerce is a free, open-source WordPress plugin used on more than 5 million sites and facilitates e-commerce.

This isn’t the first time WooCommerce e-shops have been involved in¬†credit card theft¬†attacks¬†(also known as¬†Magecart attacks¬†), according to¬†Sanguine Security¬†‘s Willem de Groot.¬†In August 2018 some¬†hackers¬†tried to break WooCommerce¬†sites¬†using the technique of¬†brute-forcing¬†the discovery of code¬†access¬†managers.

“Of course, WooCommerce and other e-commerce WordPress-based sites have been targeted by hackers in the past, but were usually limited to modifying payment details,” explained Sucuri’s Ben Martin.

“For example,¬†hackers were promoting payments to¬†the attacker’s¬†PayPal¬†email¬†instead of the site’s legitimate account holder.¬†What we are seeing now is something quite new. “

WOO commerce

New card skimming approach

The attack was discovered by Martin following reports from many WordPress users and WooCommerce sites about fraudulent credit card transactions.

A check of all the core files of the affected online stores revealed malicious code files that were added at the end of the seemingly harmless JavaScript folders.

Also Read: Hackers have been targeting Linux servers for about 10 years

“JavaScript itself is a bit difficult to understand, but one thing that is clear is that¬†the skimmer saves both the credit card number and the CVV (card security code) in plain text in the form of¬†cookies,” Martin said.

“As is usually the case with PHP malware, many levels of encryption are used in an attempt to prevent detection and hide the underlying code.”

What makes this attack stand out is that the attackers behind it¬†included the JavaScript card skimmer in the site’s core files instead of loading it from a third site under their control¬†(this usually happens in attacks that aim to steal data credit cards).

The skimmer cleans its traces

Credited credit card details are stored in two image files stored in the wp-content / uploads directory.

However, as Martin discovered, the skimmer had the ability to cover his tracks, as the files were emptied when the analysis of the violated sites began.

While usually, the entry point used by attackers to infect a WooCommerce or other e-commerce site is easy to spot, this time it was not so obvious.

Also Read: Working from Home makes you Vulnerable to Hackers

“It could be a compromised administrator account, an SFTP code or some vulnerable software,” Martin added.

“One thing I would recommend to anyone interested in the¬†security¬†of their WooCommerce or WordPress site is to disable instant file processing by adding the following line to wp-config.php,” he added.

Leave a Reply