Cybercriminals are using a new attack tactic against e-commerce sites that use the WordPress platform, inserting malware that steals credit card data in the payment processing step. The big focus is the WooCommerce extension, popular among product sales and merchandising pages, with the new method also serving to escape security measures.
Instead of injecting malicious code into the websites themselves, product pages or the cart, the pest now appears in the payment module gateway. This puts the malware at a sensitive point in the purchase process, after the user has already entered their credit card details and when they click to finalize the purchase, triggering the processing that confirms the acquisition and diverting the information to the scammers. The practice also allows victims’ full names, addresses, telephone numbers and documents to be obtained.
The attack format, called MageCart, appears in a report by the security company Sucuri, which warns WooCommerce users, present in about 40% of online stores that use WordPress. More specifically, the code injection takes place from the compromised website and in communication with Authorize.net, a payment gateway that is used worldwide to verify credit cards for purchase confirmations.
The focus on evading security systems also appears in the stealthy way in which data is sent to the bad guys. When obtaining the information, the pest compiles an encrypted image file, with the right to a random and automatically generated password, which also makes it difficult to detect the problem even by systems that monitor network traffic — as an additional measure, the information is also mixed with the legitimate traffic, making it even more difficult to find.
According to Sucuri specialists, the new campaign comes in response to security methods applied in the face of the rise in attacks involving websites with WordPress. With the adoption of tools that analyze page codes in search of malicious content, criminals preferred to adopt new tactics, more stealthy and located at specific moments of the purchase process, in addition to taking additional measures to hide the return of fraudulent information.
Strengthening the security measures applied to the site, with secure passwords for user accounts and two-step authentication, as well as monitoring changes and suspicious traffic, is recommended for shopkeepers to protect themselves. In its attack report, Sucuri also brings compromise indicators that can be used in specific analyses.
Source: Juices
