A new e-skimmer found on WordPress site using the WooCommerce plugin

Pierluigi Paganini April 12, 2020

Experts discovered a new e-skimmer employed in MageCart attacks against WordPress websites using the WooCommerce plugin.

Experts from security firm Sucuri discovered a new e-skimmer software that is different from similar malware used in Magecart attacks. The new software skimmed was employed in attacks on the WordPress-based e-store using the WooCommerce plugin.

The e-skimmer doesn’t just intercept payment information provided by the users into the fields on a check-out page.

“Naturally, WooCommerce and other WordPress-based ecommerce websites have been targeted before, but this has typically been limited to modifications of payment details within the plugin settings.” reads the analysis published by Sucuri. “For example, forwarding payments to the attacker’s PayPal email instead of the legitimate website owner. Seeing a dedicated credit card swiping malware within WordPress is something fairly new.”

Experts initially performed a scan on the website of one client and discovered generic backdoors and other malware. Then they performed an integrity check of the core files and shed the light of a part of the infection.

Most of the injected JavaScript code was discovered near the end of a legitimate JQuery file (“./wp-includes/js/jquery/jquery.js“).

“Most JavaScript injections append the code at the very end of the file, but one quirk I noticed about this was that it was inserted before the ending jQuery.noConflict();” continues the analysis.

“It’s not so easy to see. The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect.”

The technique is different from Magecart attacks that employ e-skimmers loaded from a third-party website. 

The portion of the script that capture the card details was injected in the “./wp-includes/rest-api/class-wp-rest-api.php” file.

“As is typical in PHP malware, several layers of encoding and concatenation are employed in an attempt to avoid detection and hide its core code from the average webmaster,” continues the post.

The malicious software harvests the payment details and saves the card numbers and CVV security codes in plain text in the form of cookies. The script then uses the legitimate file_put_contents function to store them into two separate image files (a .PNG file and a JPEG) that are kept in the wp-content/uploads directory structure.

At the time of the analysis, both files were not containing any stolen data, a circumstance that suggests the malware had the ability of auto-clear the files after the information had been acquired by the attackers.

“With WooCommerce recently overtaking all other ecommerce platforms in popularity it was only a matter of time before we started seeing attackers target this platform more frequently,” continues Security.

WooCommerce said that this was the first case of this kind of WordPress-targeted card-skimming malware that he came across, but that a handful more have appeared since, and that “WordPress websites with e-commerce features and online transactions will almost certainly continue to be targeted going forward.”

In April 2019, the WordPress security firm ‘Plugin Vulnerabilities’ discovered a critical vulnerability in the WooCommerce plugin that exposed WordPress-based eCommerce websites to hack.

The vulnerability affects the WooCommerce Checkout Manager plugin that allows owners of e-commerce websites based on WordPress and running the WooCommerce plugin to customize forms on their checkout pages.

The experts discovered an “arbitrary file upload” vulnerability that can be exploited by unauthenticated, remote attackers when the websites have “Categorize Uploaded Files” option enabled within WooCommerce Checkout Manager plugin settings.

The experts from Sucuri recommend WordPress sites admins to disable direct file editing for wp-admin by adding the following line to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

“This even prevents administrator users from being able to directly edit files from the wp-admin dashboard. In the event of a compromised admin account this can make the difference between the attacker delivering their payload or not.” concludes Sucuri.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WooCommerce, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment