Published: July 09, 2024 on our newsletter Security Fraud News & Alerts Newsletter.
A new credit card web skimmer, named Caesar Cipher Skimmer, has been targeting CMS platforms like WordPress, Magento, and OpenCart which are popular with e-commerce sites. Sucuri has stated that this latest campaign involves malicious modifications to the WooCommerce plugin's checkout PHP file in WordPress to capture payment card information.
Web skimmers are malware designed to steal financial and payment information from e-commerce sites. Skimmers generally work the following way:
Getting Access: Attackers can gain access to a website by either compromising the infrastructure/server to install the skimmer or exploiting vulnerabilities in third-party vendors' systems.
Obfuscation: To avoid detection, malicious code is often disguised, making it look like legitimate code. Techniques such as encoding with a Caesar cipher or masquerading as a legitimate service (e.g., Google Analytics) are used.
Activation: When a user visits the compromised site and reaches the payment page, the skimmer activates. The malicious script runs in the background, typically embedded in the checkout form or payment processing pages.
Data Collection: The skimmer captures sensitive information such as credit card numbers, names, addresses, and other personal details entered by the user during the checkout process.
Data Transmission: The captured data is then transmitted to a remote server controlled by the attacker.
Prevention Matters
Regular Updates: Ensure that all software, including CMS platforms and plugins, are kept up-to-date with the latest security patches.
Security Audits: Conduct regular security audits to identify and fix vulnerabilities.
Strong Passwords: Use strong, unique passwords and enable multi-factor authentication for administrative accounts.
Web Application Firewalls: Implement web application firewalls (WAFs) to filter and monitor HTTP requests for malicious activity.
Code Review: Regularly review the website’s code for unauthorized changes.
User Education: Educate users and administrators about phishing and social engineering tactics to prevent initial compromises.
Security researcher Ben Martin noted that the malware disguises itself as Google Analytics and Google Tag Manager scripts, using a Caesar cipher to encode the malicious code and conceal the external domain hosting the payload.
Besides WooCommerce, attackers misuse the WPCode plugin and exploit Magento database tables for JavaScript injections. The attack surface is large due to the widespread use of WordPress and its plugins.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com
Comments