Online transactions ease our daily lives but also pose a serious risk to both businesses and their customers. Magecart attacks are one of them. Magecart is a type of malware that can steal credit card information from eCommerce websites. This threat has now extended to WordPress environments, particularly those using WooCommerce.
WooCommerce is a popular, open-source eCommerce plugin for WordPress.
How did attack happen ?
After analyzing its client’s website, Sucuri found a suspicious line of code indicating a malicious injection. Upon further study, they found several interesting elements to siphon information and evade detection.
For starters, the code saves the stolen card data as an encrypted .jpg file, with a randomly assigned password using an AES-128 CBC block cipher. Usually, Magecart malware dumps its haul as plain text or as simple base64 encoded data.
Storing stolen credit card information in an image file is not a new technique, but usually, the information is saved in either plain text format or encoded as basic base64 data in most instances. So, cybersecurity researchers have seen this as a new trend.
The Magecart skimmer also modified a Javascript file (/assets/js/frontend/wc-authorize-net-cim.min.js) to inject code into a section named dispatch_payment.
Recommendations
- Use Subresource Integrity (SRI) mechanism to take a hash of a secure file and whitelist it. This will prevent the file from running if any malicious change is made.
- Regularly check payment gateways and related files for any unauthorized changes or modifications.
- Keep payment gateway plugins and other software up-to-date with the latest security patches and updates.
Leave A Comment