New Magecart Attack Targets WooCommerce Sites

Since October 2019, this publication has tracked the steady rise in Magecart attacks. These attacks often involve the hackers targeting eCommerce platforms used by sites to process payments. The hacker is able to steal credit card data via injecting a malicious JavaScript code into the cart facilities offered by the platform. The code, which can be as little as 22 lines of code, is capable of skimming credit card details entered by a user and send the details to a command and control server maintained by the hacker. These details can then be sold on the Dark Web or used to purchase goods fraudulently.

In a recent article published by security firm Sucuri the analysis of a new attack campaign targeting the popular WooCommerce WordPress plugin. The plugin is a free and open-source WordPress plugin with more than 5 million active installs that make it easy to run e-commerce sites, it is seen as a particularly handy tool for brick and mortar shops to generate online sales and an online presence. In the article, it was noted that WordPress plugins have been the target of similar styled attacks in the past, with Magento and Prestashop been targeted extensively in the past. The security firm refers to these attacks as card swipers that traditionally involve malicious code making modifications to payment details within the plugin settings. Typically these modifications may involve forwarding payments to the attacker’s PayPal email instead of the legitimate website owner. However, the campaign targeting WooCommerce involves injecting dedicated card swiping malware into WordPress is relatively new.

The attack was discovered when a client reported that multiple customers had complained of fraudulent credit card transactions shortly after making a purchase on their website. It struck the researcher as odd due to the fact that the client didn’t use other platforms known for experiencing these kinds of attacks but rather WordPress and WooCommerce.

new magecart attack targets woocommerce sites

After performing integrity checks on the code it was discovered malicious code had been injected and added the end of seemingly harmless looking JavaScript files. Researchers noted that,

“The JavaScript itself is a little difficult to understand, but one thing that is clear is that the infection saves both the credit card number and CVV (card security code) in plain text in the form of cookies…With credit card swipers it’s common for attackers to simply include/append malicious javascript from a third-party website. This makes it easier to spot when using a script blocker such as NoScript (which I strongly recommend anybody concerned with their safety online should use), but when they modify a JavaScript file that is intentionally used on the site it’s not so easy to see. The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect.”

Further, it was discovered that the malicious code had several layers of concatenated which would make it harder for a webmaster to detect any malicious intent. This is a common tactic employed by both PHP malware and other malware types to prevent detection. The malware itself was included in the site's core files, rather than what is typically seen. Typically, the card skimming malware is loaded from a third-party website under the control of the hacker. This has led many researchers to classify MageCart attacks as a form of supply-chain attack. This further differentiates the WooCommerce campaign from earlier attacks as it would appear the supply chain aspect is missing and replaced by a direct compromise of the website's code. The hacker, or hackers, in this case, went to several lengths to cover their tracks, this was done namely by dumping details into two separate image files. This is not uncommon, however, the speed at which the hacker moved was. By the time researchers began analyzing the website the files created to store the images had been cleared. Making analysis a far more incomplete task than many researchers would like.

WooCommerce will continue to be targeted

For the owners of the compromised website, the obvious question to ask is how did the hacker get in? The answer is generally not as easy to answer. In some case the victim may have fallen victim to a common vulnerability exploited on mass, this further leads to an easy fix of patching the vulnerability to prevent further exploitation. In this instance, there is less certainty to how the hackers compromised the website. It may have been a compromised wp-admin account, SFTP password, hosting password, or some piece of vulnerable software in the environment not yet known to security researchers. As an extra safety measure researchers advise that WordPress site owners disable direct file editing for wp-admin by adding the following line to your wp-config.php file: “define( ‘DISALLOW_FILE_EDIT’, true );”. In concluding researchers noted that,

“The infection detailed above is the first case of this kind that I’ve found this year, but since working on this website, I have seen a handful of other cases, all with varying payloads. Some attackers have targeted WooCommerce, others target Stripe, but the fact remains that WordPress websites with eCommerce features and online transactions will almost certainly continue to be targeted going forward…This case is a perfect example of why both file integrity monitoring and regularly checking the integrity of your core files is crucial to maintaining a healthy, secure website.”

Future attacks targeting the WooCommerce platform, as well as others including Stripe and Magento, can be expected to continue. Such an assumption is not only based on this latest campaign but campaigns that targeted the plugin dating back to August 2018. In that campaign, over 7,000 websites were injected with MagentoCore.net an incredibly aggressive MageCart skimmer. All the infections were eventually tied to a single well-resourced hacking group and the incident served as a benchmark for other campaigns to aspire to. It is widely believed that the group behind the 2018 campaign was also behind the infamous Ticketmaster incident which still ranks as one of the worst data breaches to date.

Mitigating the Threat

In defending against MageCart attacks several things can be done by both the website owner and the consumer visiting the website. In regards to the consumer, it is advised that prevent all JavaScript from unauthorized access of sensitive data by adopting a zero-trust approach to third-party JavaScript. However, the bulk of the mitigation tactics need to be adopted by the website owner. These tactics involve implementing a website monitoring policy. To this extent software solutions are available. These are capable of detecting in real-time any tampering to the website's code, some solution can even block tampering all together. Businesses should further look to limit the amount of third-party code used, this will often reduce the attack surface presented by the company as well as the chances of falling victim to a supply chain attack.

It is not only smaller businesses that fall victim to these attacks. In November 2019 US retail giant Macy’s announced they had suffered a data breach. In a public statement, the company said,

“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019, an unauthorized third party added unauthorized computer code to two (2) pages on macys.com.The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two (2) macys.com pages: (1) the checkout page - if credit card data was entered and “place order” button was hit; and (2) the wallet page - accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019…We are aware of a data security incident involving a small number of our customers on Macys.com. We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost.”

British Airways also suffered a similar incident where authorities found that the aviation company was liable to be fined a record-breaking 183 million GBP. The fine was as a result of the company not employing security controls deemed adequate to protect the sensitive data of many of its clients. Smaller businesses are equally liable to rack up fines in an era where many countries and economic zones are enforcing legislation to protect data privacy. The European Union’s General Data Protection Regulation (GDPR) is one such piece of legislation empowering regulatory bodies to hand out fines. Website owners are advised to conduct online sales in accordance with these laws, otherwise, a fine will be added to their list of worries.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal