Recently the potential dangers of online shopping were made apparent over the recent Black Friday period. As soon as that ended the Christmas shopping spree began, and another discovery by security firm Sucuri again shows the dangers of online shopping to both consumers and retailers.
According to a recent article published on Securi’s blog, researchers have discovered card skimming malware being injected into WooCommerce plugins.
These pieces of malware are only typically a few lines of code that are designed to steal the card details entered by customers when purchasing goods on eCommerce websites. The malware then sends the stolen card data to servers under the hacker’s control and then can either be sold to other criminals or used to commit various kinds of card fraud.
These campaigns are harder to stop for security firms as they tend to be well hidden and only discovered when victims begin to report strange transactions occurring on their accounts. These are then traced back to an eCommerce website that has been compromised by injected code.
To the researchers who made the discovery, this would imply that the card skimming malware had compromised the website’s backend through PHP. The backend of the website, stored on servers, is often the meat and potatoes of the website doing all the heavy lifting like storing databases for example.
Many instances of card skimming were found to only impact the front end, the parts of the website that the customer will see meaning that the customer’s machine may be compromised. In this case, the retailer may have little control over if fraud occurs, however, if the backend is compromised all the website’s customers could potentially become victims.
In this instance, researchers discovered that the malicious code may have had something to do with plugin updates that seemed odd at best. Researchers noted,
“The attackers know that most security plugins for WordPress contain some way to monitor the file integrity of core files (that is, the files in wp-admin and wp-includes directories). This makes any malware injected into these files very easy to spot even by less experienced website administrators. The next logical step for them would be to target plugin and theme files. This is not the first time we have seen this, but what was quite fascinating about this particular infection was the way that the code was written to appear entirely benign.”
Before any card skimming malware could be installed, the attacker would need to be able to gain access to the backend of the website, to do this a backdoor is required. This is done by abusing a list of website administrators and setting the authorization cookie and current user login to one of those users. It is important to note that if WordPress’s wp-admin tool is secure this method of access is blocked as administrators will also have their IP address used to verify their credentials.
Plugin Abused to Add Card Skimmer
Once the attacker successfully manages to create a backdoor and access the backend as an administrator they will proceed to add the card skimming malware. To this extent, the attacker chose the Wp-smush plugin.
It is important to note that this plugin is not vulnerable to exploitation on mass but rather that the attacker simply chose this plugin to hide malicious code. Even at first glance, the researchers could not find anything malicious or even obfuscated code that would indicate the existence of malicious code.
What the attacker did do was write code that did not look malicious at all and blended into the rest of the code as if it was meant to be there. The plugin abused by the attacker is meant to assist in image optimization by a piece of the code that makes reference to WooCommerce.
Researchers were forced to wonder why a plugin for this purpose would even reference the eCommerce tool. This prompted even more investigation with researchers discovering hidden variables. It was then that the malicious nature of the code was revealed with researchers noting,
“The giveaway is the $stylesheet variable which references a questionable domain. Running a quick whois over that domain shows that it was registered very recently, probably with the express intent of exfiltrating stolen credit card details from the victim website…”
Researchers then discovered the card skimmer was injected into the section of code responsible for informing users of a 404 error. After more analysis, it was discovered that the variable “file_get_contents” was written to scrape card data then send it to a server under the attacker’s control. Researchers concluded with a warning to website owners, saying,
“If you operate an ecommerce website be sure to be extra cautious during the holiday season. This is when we see attacks and compromises on ecommerce websites at their highest volume as attackers are poised to make handsome profits from stolen credit card details…Make sure to follow best security practices, harden your administrator dashboard, and ideally place your website behind a firewall service!”