Magecart attacks, a type of malware that targets eCommerce websites and steals credit card information, has now extended to WordPress environments, particularly those using WooCommerce. WooCommerce is a popular, open-source eCommerce plugin for WordPress. Recently, one client of Sucuri, a web security company, received a warning from their bank that their website may have been compromised. Upon investigation, researchers found that the compromise occurred through modifying files related to the client’s payment gateway, Authorize.net, which is a payment gateway that allows vendors to handle digital transactions. The attackers tampered with the primary file of the plugin and injected malicious code that steals payment information from users. The code stores the stolen credit card information in an image file (.jpg) that is encrypted with a public key in PEM format and a randomly generated string, making it more difficult for fraud prevention officers or law enforcement to investigate the theft. The attackers also modified a Javascript file to intercept additional billing information besides credit card details, increasing the value of stolen credit card information. The attacker appears to have imitated the Heartbeat API to avoid detection while sniffing the billing information.
Sucuri also found another malicious file that allows the attacker to steal more information, such as names, addresses, phone numbers, and postal codes, making the dataset more valuable when it is sold on the dark web. This attack is more sophisticated than traditional Magecart campaigns, and Sucuri advises continuous monitoring of file integrity to prevent such attacks. Magecart attacks have previously affected companies such as Emma Sleep Company, See Tickets, and Nutribullet.
0 Comments