[BreachExchange] WordPress sites using WooCommerce targeted by credit card skimmers

Destry Winant destry at riskbasedsecurity.com
Wed Apr 15 10:29:54 EDT 2020


WordPress sites using the popular WooCommerce plugin are being
targeted by credit card skimming code, the first time that
Magecart-like attacks have been discovered targeting the content
management system.

Discovered late last week by security researcher Ben Martin at Sucuri,
the attacks involve the injection of JavaScript to steal both the
credit card number and card security code of those making purchases
from a targeted site.

Martin noted that although WordPress has been targeted before in
payment attacks, they usually involve changes such as forwarding
payments to the attacker’s PayPal address. Dedicated credit card
swiping malware on WP is described as “something fairly new.”

Despite having some similarities to Magecart attacks, the attacks
targeting WordPress installations with WooCommerce modify a normally
benign JavaScript file that is used by WordPress as opposed to trying
to insert the code from the third-party service. That made the code
difficult to see since the malware “lodged itself within an already
existing and legitimate file making it a bit harder to detect.”

Stolen data is sent to an image file that is stored in the
wp-content/uploads directory but is later auto-deleted when accessed
by the attackers, an added level of sophistication.

“Third-party plugins are always a high-value target for criminals, as
it’s an easy way to access hundreds to thousands of sites through
manipulating the code at the source where the plugin is developed,”
James McQuiggan, security awareness advocate at security awareness
firm KnowBe4 Inc., told SiliconANGLE. “Organizations want to make sure
they educate and train their developers to analyze and verify all
third-party plugins for unusual activity through the quality and
analysis testing process before releasing new updates. Like a home,
the website must be secured, and one easy way is to verify the plugins
and software regularly.”

More information about the BreachExchange mailing list