Three New Payment Card Skimmers Found For WooCommerce Installations


Web admins overseeing retail sites using the WooCommerce platform need to watch out for new payment card skimmers that hackers embed into payment pages.

The warning comes from the security company RiskIQ, who said this week that they found three new skimmers targeting e-merchants using the WooCommerce plugin for WordPress. He quoted search by Barn2, a software company specializing in WordPress and WooCommerce products, claiming that WooCommerce accounts for 29% of the first million sites using e-commerce technologies, surpassing 5 million active installations of the free plugin at the start of 2021.

RiskIQ describes the three new pieces of malicious code as

The WooTheme Skimmer

This was detected in five areas using a compromised WooCommerce theme. It is “relatively simplistic and makes its functionality reasonably easy to understand.”

Operators masked the skimming code in all iterations discovered except one. However, this instance appears to be an error, as RiskIQ detected the obscured skimmer on the same compromised domain before the clear text version appeared.

A separate researcher discovered this same skimmer in July, showing similar results from an exfil domain in the theme’s function.php file and the identical destination in the query.slim.js file.

The Selective Skimmer

Generic skimmers are used repeatedly on the same infrastructure, even by different threat actors, who add unique elements to the skimmer for their specific needs. For RiskIQ, a minor change in a skimmer made it possible to describe it as new. In this case, it is a misspelling of the word “select” in the script. This is also why researchers call it the “Slect” skimmer.

Once the DOM content is fully loaded, the Slect skimmer does two things. It will look for a series of form fields that the skimmer does not want to extract data from, such as open text fields, passwords, and checkboxes. Next, an event listener listens for a click of a button, which may escape the sandboxing of security researchers.

The exfil domain found in the skimmer has already been associated with other Magecart infrastructures and identified by RiskIQ research Jordan Herman as being used by a variant of the Grelos skimmer.

–The bridge skimmer

RiskIQ says this one added multiple layers and steps by the actor to hide and obscure processes. The skimmer code is “massive and hard to digest while being obscured and performs a few unique functions seen in other skimmers.” During the various iterations of this skimmer, the words “gate” and “gateway” in the .php and .js files, hence its name.

After removing the obfuscation in the legitimate code from this skimmer, RiskIQ researchers have found a skimmer it has been detecting since 2019. This skimmer even exfiltrates personal and credit card data in the same c2 domain as this familiar skimmer. . “Interestingly,” the report adds, “this WooCommerce version of the Gateway Skimmer is specifically looking for a Firebug web browser extension (long discontinued in 2017).”

As to how the sites were compromised, RiskIQ said ChannelDailyNews.com he believes there are weaknesses in compromised customers’ use of poorly controlled WooCommerce themes and unaudited third-party code. “This is explicitly true in the WooTheme skimmer, as we can see that the card skimmer is embedded in a malicious theme file, and the Slect and Gateway skimmers are both obscured and stuck in legitimate payment javascript.”

Beyond having robust detections for malware, website operations should regularly inspect their crontab commands for strange content, make sure the access permissions are correct, and audit file access.

Author: Howard Solomon

Currently a freelance writer, I am the former editor-in-chief of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I have written for several ITWC sister publications including ITBusiness.ca and Computer Dealer News. Prior to that, I was a reporter for the Calgary Herald and the Brampton (Ont.) Daily Times. I can be contacted at hsolomon [@] soloreporter.com


Comments are closed.