An article by security company Sucuri analyzed the new attack campaign that targets the WooCommerce WordPress plugin. The plugin is an open-source, free plugin with over 5 million active installs, making it easy to run for e-commerce websites. The article explained that the plugins had been targeted by similar attacks before, with Prestashop and Magento being affected. The company referred to these attacks as card swipers, threats that involve forwarding payments to the attacker's PayPal email rather than the legitimate owners of the cards. The campaign targeted at WooCommerce involved injecting swiping malware into WordPress is a new development.
The attack was found when a client reported multiple customers had cases of fraudulent credit card transactions after they made purchases on their website. The researcher realized the client didn't use any other platforms that had these issues, but WordPress and WooCommerce.
It was discovered that the malware code had concatenated, error-correcting code that made it harder for webmasters to detect any malicious intent. That is a common tactic for PHP malware and other malware used to avoid detection for as long as possible. The malware was included in the website's core files, something not that commonly seen. In most cases, the card skimming malware is loaded from third party websites under the control of the attackers. The attackers took great care to cover their tracks, mostly by dumping details into two image files. That isn't uncommon; by the time the researchers were analyzing the files, the images had already been cleared. That made their analysis incomplete.
WooCommerce still under attack
For the owners of compromised websites, the obvious worry is how the attackers managed to do what they did. The answers are not easy to find since, in many cases, websites fall victim to common, unpatched vulnerabilities, which may be solved with the easy fix of patching them. Other cases may be more complicated, such as the recent one, where there was less information to dig out on how the hackers compromised the website. There are many possibilities, from compromising the wp-admin account, hosting password, SFTP password, or another compromised piece of software. WordPress site owners are advised to take extra security measures by disabling direct file editing for wp-admin by adding the "define('DISALLOW_FILE_EDIT', true );" line to the wp-config.php file.
Future attacks on the WooCommerce platforms are likely, as well as those on Stripe and Magento. Given the latest campaigns targeting the plugin as far back as August 2018, where over 7000 websites were injected with MagentoCore.net, a particularly aggressive MageCart skimmer.