Card Skimming Malware injected into WooCommerce Plugins

Recently the potential dangers of online shopping were made apparent over the recent Black Friday period. As soon as that ended the Christmas shopping spree began, and another discovery by security firm Sucuri again shows the dangers of online shopping to both consumers and retailers.

According to a recent article published on Securi’s blog, researchers have discovered card skimming malware being injected into WooCommerce plugins.

These pieces of malware are only typically a few lines of code that are designed to steal the card details entered by customers when purchasing goods on eCommerce websites. The malware then sends the stolen card data to servers under the hacker’s control and then can either be sold to other criminals or used to commit various kinds of card fraud.

Card Skimming Malware injected into WooCommerce Plugins

These campaigns are harder to stop for security firms as they tend to be well hidden and only discovered when victims begin to report strange transactions occurring on their accounts. These are then traced back to an eCommerce website that has been compromised by injected code.

Many of these attacks seen in the past typically rely on JavaScript code only loading on certain URL pages which contain keywords like “checkout” or “onepage”, or other keywords often used by eCommerce app developers to signify the checkout page. However, in this case, no such injections were found even after careful study of all the JavaScript scripts that would be loaded when a customer attempts to pay for their purchase.

To the researchers who made the discovery, this would imply that the card skimming malware had compromised the website’s backend through PHP. The backend of the website, stored on servers, is often the meat and potatoes of the website doing all the heavy lifting like storing databases for example.

Many instances of card skimming were found to only impact the front end, the parts of the website that the customer will see meaning that the customer’s machine may be compromised. In this case, the retailer may have little control over if fraud occurs, however, if the backend is compromised all the website’s customers could potentially become victims.

In this instance, researchers discovered that the malicious code may have had something to do with plugin updates that seemed odd at best. Researchers noted,

“The attackers know that most security plugins for WordPress contain some way to monitor the file integrity of core files (that is, the files in wp-admin and wp-includes directories). This makes any malware injected into these files very easy to spot even by less experienced website administrators. The next logical step for them would be to target plugin and theme files. This is not the first time we have seen this, but what was quite fascinating about this particular infection was the way that the code was written to appear entirely benign.”

Before any card skimming malware could be installed, the attacker would need to be able to gain access to the backend of the website, to do this a backdoor is required. This is done by abusing a list of website administrators and setting the authorization cookie and current user login to one of those users. It is important to note that if WordPress’s wp-admin tool is secure this method of access is blocked as administrators will also have their IP address used to verify their credentials.

Plugin Abused to Add Card Skimmer

Once the attacker successfully manages to create a backdoor and access the backend as an administrator they will proceed to add the card skimming malware. To this extent, the attacker chose the Wp-smush plugin.

It is important to note that this plugin is not vulnerable to exploitation on mass but rather that the attacker simply chose this plugin to hide malicious code. Even at first glance, the researchers could not find anything malicious or even obfuscated code that would indicate the existence of malicious code.

What the attacker did do was write code that did not look malicious at all and blended into the rest of the code as if it was meant to be there. The plugin abused by the attacker is meant to assist in image optimization by a piece of the code that makes reference to WooCommerce.

Researchers were forced to wonder why a plugin for this purpose would even reference the eCommerce tool. This prompted even more investigation with researchers discovering hidden variables. It was then that the malicious nature of the code was revealed with researchers noting,

“The giveaway is the $stylesheet variable which references a questionable domain. Running a quick whois over that domain shows that it was registered very recently, probably with the express intent of exfiltrating stolen credit card details from the victim website…”

Researchers then discovered the card skimmer was injected into the section of code responsible for informing users of a 404 error. After more analysis, it was discovered that the variable “file_get_contents” was written to scrape card data then send it to a server under the attacker’s control. Researchers concluded with a warning to website owners, saying,

“If you operate an ecommerce website be sure to be extra cautious during the holiday season. This is when we see attacks and compromises on ecommerce websites at their highest volume as attackers are poised to make handsome profits from stolen credit card details…Make sure to follow best security practices, harden your administrator dashboard, and ideally place your website behind a firewall service!”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal