Severity

Medium

Analysis Summary

Credit-card-stealing criminals have set their sights on the WordPress plugin known as WooCommerce, an e-tailer platform, with a JavaScript-based card-skimming malware. A skimmer attack lodged against a WooCommerce site and found that it differs from prior payment-card campaigns that have targeted WordPress-based e-commerce destinations.

The attacker lodged near the end of a JQuery file: ./wp-includes/js/jquery/jquery.js,”, “inserted before the ending jQuery.noConflict();.” The part of the script used to actually harvest the card details was found in the “./wp-includes/rest-api/class-wp-rest-api.php” file. It behaves like other PHP malware. 

Once it’s scooped up the payment details, the malicious script saves both the payment-card numbers and CVV card security codes in plain text in the form of cookies. It then uses the legitimate file_put_contents function to collect them into two separate image files (a .PNG file and a JPEG). These are kept in the wp-content/uploads directory structure.

Impact

• Harvesting of credentials
• Exposure of sensitive data
• Financial loss

Affected Vendors

WordPress

Affected Products

WooCommerce Plugin

Remediation

• Always be skeptical about payment details.
• Never give your financial details without verification.
• Always download legitimate/ recommended plugins for secure payment options.