WooCommerce Falls to Fresh Card-Skimmer Malware

Credit-card-stealing criminals have set their sights on the WordPress plugin known as WooCommerce, an e-tailer platform, with a JavaScript-based card-skimming malware.

Sucuri researcher Ben Martin recently investigated a skimmer attack lodged against a WooCommerce site and found that it differs from prior payment-card campaigns that have targeted WordPress-based e-commerce destinations — in that the malware doesn’t just intercept payment information entered into the fields on a check-out page.

“[Attacks on WooCommerce in the past have] typically been limited to modifications of payment details within the plugin settings,” he explained in a Thursday posting. “For example, forwarding payments to the attacker’s PayPal email instead of the legitimate website owner. Seeing a dedicated credit card swiping malware within WordPress is something fairly new.”

Behind the Scenes

After scanning the infected website, where customers had complained of fraudulent transactions, nothing serious at first seemed amiss, Martin wrote. It took a deeper integrity check of the core files of the site in order to find the stealer.

Rather than simply injecting malicious, third-party code – the typical approach used by Magecart and other groups – the attackers in this attack modified a normally benign JavaScript file that is intentionally used on the site.

“It was lodged near the end of a JQuery file: ./wp-includes/js/jquery/jquery.js,” the researcher explained, “inserted before the ending jQuery.noConflict();.”

He added, “It’s not so easy to see. The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect.”

The part of the script used to actually harvest the card details was found in the “./wp-includes/rest-api/class-wp-rest-api.php” file, according to Martin. It behaves like other PHP malware, he said.

“As is typical in PHP malware, several layers of encoding and concatenation are employed in an attempt to avoid detection and hide its core code from the average webmaster,” he wrote.

Once it’s scooped up the payment details, the malicious script saves both the payment-card numbers and CVV card security codes in plain text in the form of cookies. It then uses the legitimate file_put_contents function to collect them into two separate image files (a .PNG file and a JPEG). These are kept in the wp-content/uploads directory structure, the researcher said.

In his investigation, Martin found the image files to be empty of stolen data – suggesting that, potentially, “the malware had the ability to cover its own tracks and auto-cleared these files after the information had been acquired by the attackers,” according to his writeup.

WordPress Skimmers: A Growing Trend

While well-known card-thieving groups like Magecart typically target e-commerce sites that run on the Magento platform, WooCommerce has recently become the market leader for e-commerce platforms, Martin pointed out. And that has, naturally, piqued the attention of cybercriminals looking for new attack surfaces.

“With WooCommerce recently overtaking all other ecommerce platforms in popularity it was only a matter of time before we started seeing attackers target this platform more frequently,” he said.

He said that this was the first case of this kind of WordPress-targeted card-skimming malware that he came across, but that a handful more have appeared since, and that “WordPress websites with e-commerce features and online transactions will almost certainly continue to be targeted going forward.”

Given that attackers are able to compromise websites in any number of ways — exploiting a known vulnerable plugin, for instance, or via a brute-forced admin account – a good approach to protecting WooCommerce and other WordPress-based websites from skimmers and other malware is to disable direct file editing for wp-admin, according to Martin.

“[Add the following line to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true );,” he said. “This even prevents administrator users from being able to directly edit files from the wp-admin dashboard. In the event of a compromised admin account this can make the difference between the attacker delivering their payload or not.”

_Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, _A Practical Guide to Securing the Cloud in the Face of Crisis_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. _Please register here** for this sponsored webinar.**