New Magecart Attack Targets WooCommerce Sites

Since October 2019, there has been a rise in Magecart attacks, with the attacks often involving hackers that target platforms used to process electronic payments while shopping online. The attackers were able to steal credit card data, injecting a malicious JavaScript code in the carts of affected platforms. The code, which was merely 22 lines of code long, was able to skim credit card details, sending them off to a command and control server. The details are then sold off on the dark web or used to purchase goods at the expense of the victims.

An article by security company Sucuri analyzed the new attack campaign that targets the WooCommerce WordPress plugin. The plugin is an open-source, free plugin with over 5 million active installs, making it easy to run for e-commerce websites. The article explained that the plugins had been targeted by similar attacks before, with Prestashop and Magento being affected. The company referred to these attacks as card swipers, threats that involve forwarding payments to the attacker's PayPal email rather than the legitimate owners of the cards. The campaign targeted at WooCommerce involved injecting swiping malware into WordPress is a new development.

Malicious JavaScript used in the campaign

The attack was found when a client reported multiple customers had cases of fraudulent credit card transactions after they made purchases on their website. The researcher realized the client didn't use any other platforms that had these issues, but WordPress and WooCommerce.

After integrity checks were performed on the code, the malicious injection was discovered. The JavasScript was hard to analyze, but it was apparent that the infection saved the CVV security code and the credit card number in the form of cookies. Credit card swipers are common when attackers want to use malicious JavaScript into third party websites. Script blockers may stop most of them, but when a JavaScript website file is modified, the changes are not that easy to spot. The fact that the malware was inside an already existing file made it harder to spot.

It was discovered that the malware code had concatenated, error-correcting code that made it harder for webmasters to detect any malicious intent. That is a common tactic for PHP malware and other malware used to avoid detection for as long as possible. The malware was included in the website's core files, something not that commonly seen. In most cases, the card skimming malware is loaded from third party websites under the control of the attackers. The attackers took great care to cover their tracks, mostly by dumping details into two image files. That isn't uncommon; by the time the researchers were analyzing the files, the images had already been cleared. That made their analysis incomplete.

WooCommerce still under attack

For the owners of compromised websites, the obvious worry is how the attackers managed to do what they did. The answers are not easy to find since, in many cases, websites fall victim to common, unpatched vulnerabilities, which may be solved with the easy fix of patching them. Other cases may be more complicated, such as the recent one, where there was less information to dig out on how the hackers compromised the website. There are many possibilities, from compromising the wp-admin account, hosting password, SFTP password, or another compromised piece of software. WordPress site owners are advised to take extra security measures by disabling direct file editing for wp-admin by adding the "define('DISALLOW_FILE_EDIT', true );" line to the wp-config.php file.

Future attacks on the WooCommerce platforms are likely, as well as those on Stripe and Magento. Given the latest campaigns targeting the plugin as far back as August 2018, where over 7000 websites were injected with MagentoCore.net, a particularly aggressive MageCart skimmer.