Screenshot 2023-03-23 14.23.15.jpg

A new credit card stealing hacking campaign is doing things differently than we have seen in the past by hiding their malicious code inside the 'Authorize.net' payment gateway module for WooCommcerce, allowing the breach to evade detection by security scans.

Historically, when threat actors breach a commerce site like Magenta or WordPress running WooCommerce, they inject malicious JavaScript into the HTML of the store or customer checkout pages.

These scripts will then steal inputted customer information on checkout, such as credit card numbers, expiration dates, CVV numbers, addresses, phone numbers, and email addresses.

However, many online merchants now work with security software companies that scan the HTML of public-facing eCommerce sites to find malicious scripts, making it harder for threat actors to stay hidden.

To evade detection, the threat actors are now injecting malicious scripts directly into the site's payment gateway modules used to process credit card payments on checkout.

As these extensions are usually only called after a user submits their credit card details and checks out at the store, it may be harder to detect by cybersecurity solutions.

The campaign was discovered by website security experts at Sucuri after being called in to investigate an unusual infection on one of their client's systems.

Targeting payment gateways

WooCommerce is a popular eCommerce platform for WordPress used by roughly 40% of all online stores.

To accept credit cards on the site, stores utilize a payment processing system, such as Authorize.net, a popular processor used by 440,000 merchants worldwide.

On the compromised site, Sucuri discovered that threat actors modified the "class-wc-authorize-net-cim.php" file, one of Authorize.net's files supporting the payment gateway's integration to WooCommerce environments.

The code injected at the bottom of the file checks if the HTTP request body contains the "wc-authorize-net-cim-credit-card-account-number" string, which means it carries payment data after a user checks out their cart on the store.

If it does, the code generates a random password, encrypts the victim's payment details with AES-128-CBC, and stores it in an image file that the attackers later retrieve.

Screenshot 2023-03-23 14.23.48.jpg

Malware code added at the bottom of the file

A second injection performed by the attackers is on "wc-authorize-net-cim.min.js," also an Authorize.net file.

The injected code captures additional payment details from input form elements on the infected website, aiming to intercept the victim's name, shipping address, phone number, and zip/postal code.

Evading detection

Another notable aspect of this campaign is the stealthiness of the skimmer and its functions, which make it particularly hard to discover and uproot, leading to extended periods of data exfiltration.

First, the malicious code was injected in legitimate payment gateway files, so regular inspections that scan websites' public HTML or look for suspicious file additions wouldn't yield any results.

Secondly, saving stolen credit card details on an image file isn't a new tactic, but strong encryption is a novel element that helps attackers evade detection. In past cases, threat actors stored stolen data in plaintext form, used weak, base64 encoding, or simply transferred the stolen information to the attackers during checkout.

Thirdly, the threat actors abuse WordPress's Heartbeat API to emulate regular traffic and mix it with the victims' payment data during exfiltration, which helps them evade detection from security tools monitoring for unauthorized data exfiltration.

Screenshot 2023-03-23 14.24.26.jpg

Abusing Heartbeat API when exfiltrating victim data

As MageCart actors evolve their tactics and increasingly target WooCommerce and WordPress sites, it is essential for website owners and administrators to stay vigilant and enforce robust security measures.

This recent campaign discovered by Sukuri highlights the growing sophistication of credit card skimming attacks and the attackers' ingenuity in bypassing security.

Yikes! Another example of why you should only use a credit card for online purchases (at least in the U.S., where the consumer is protected against credit card fraud). Notice in the picture that a debit card is being used.

Credit card theft is a serious problem, so it's important to take steps to protect personal and financial information when making online transactions. While hackers can embed credit card theft software into payment processing modules, there are steps you can take to minimize your risk:

Keep your software up to date: Regularly update your operating system, web browsers and antivirus software to ensure you have the latest security patches and protection against known vulnerabilities.

Use trusted platforms: Only shop online on trusted sites and platforms with secure payment processing systems. Look for the padlock symbol and ""https://"" in a website's URL to indicate a secure connection.

Be careful when using third-party modules: If you use third-party payment processing modules or plugins on your website, make sure they come from reliable sources and have a good security reputation. Update and monitor these modules regularly for potential vulnerabilities.

Apply robust security measures: Use secure payment gateways that offer encryption and tokenization to protect customer credit card information during transmission and storage. Use additional layers of security, such as two-factor authentication, to enhance security.

Educate yourself and your employees: Be aware of common phishing techniques, malware attacks and other methods hackers use to steal credit card information. Educate yourself and your employees on Internet security best practices and how to identify potential threats.

If you suspect your credit card information has been compromised, contact your credit card provider immediately to report the incident and take the appropriate steps to protect your account.

Remember, following strict security guidelines and being vigilant when making online transactions will help minimize the risk of credit card theft and protect your financial information.

From personal situations: I wanted to buy protein supplements for muscle gain. I went to the unofficial website and entered my card information. They charged my credit card, but I got it all back through the court. After that I only buy supplements at https://a-steroidshop.ws/testosterone/.