Analysis Summary

Recently, a notable rise in detections of the "Caesar Cipher Skimmer" variant of the "gtag" credit card skimming attack has been observed totaling nearly 80 instances within the first two weeks alone.

This sophisticated malware variant has been identified across multiple CMS platforms including WordPress, Magento, and OpenCart, leveraging its adaptability to infiltrate diverse e-commerce environments simultaneously. This tactic underscores the agility of cybercriminals in repurposing malware across different platforms reminiscent of previous MageCart incidents where malware originally targeting Magento was later deployed on WordPress and WooCommerce sites.

Researchers said that the attack primarily targets crucial files like WooCommerce's form-checkout.php, exploiting its pivotal role in the checkout process to surreptitiously harvest credit card details from unsuspecting customers. The malware injects obfuscated scripts disguised as legitimate Google Analytics and Tag Manager code utilizing techniques like Unicode Caesar Cipher encryption to evade detection. By reversing, decoding, and executing JavaScript payloads, the attackers establish connections to remote servers via WebSocket protocols, facilitating the exfiltration of stolen data to malicious domains.

In addition to WooCommerce, Magento sites have also been compromised through manipulations within the core_config_data database table, highlighting a persistent strategy among attackers to embed skimming scripts deeply within site infrastructure. Although OpenCart infections have not been widely reported yet, vigilance is crucial as the threat landscape continues to evolve.

To mitigate the risk posed by these sophisticated attacks website owners are urged to implement rigorous security measures. This includes maintaining up-to-date software patches across all plugins and themes to prevent exploitation of known vulnerabilities. Regular review and strengthening of administrative account credentials are essential to thwart unauthorized access attempts. Implementing file integrity monitoring and leveraging web application firewalls (WAFs) can enhance detection capabilities and block malicious traffic, providing a proactive defense against evolving cyber threats targeting e-commerce platforms.

The resurgence of the "Caesar Cipher Skimmer" underscores the importance of continuous vigilance and proactive security measures in safeguarding e-commerce websites against increasingly sophisticated and adaptable cyber threats. Awareness of attack techniques and prompt implementation of security best practices are critical in mitigating risks and protecting sensitive customer information from unauthorized access and exploitation.

Impact

• Sensitive Data Theft
• Data Exfiltration
• Unauthorized Access
• Financial Loss

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Keep all CMS platforms, plugins, and themes updated to the latest versions to mitigate vulnerabilities frequently exploited by attackers.
• Regularly review and strengthen administrative account credentials, ensuring strong, unique passwords to prevent unauthorized access.
• Implement file integrity monitoring to detect unauthorized changes to website files promptly, enabling quick response to potential compromises.
• Deploy a web application firewall (WAF) configured to block malicious traffic and defend against hacking attempts targeting e-commerce sites.
• Conduct regular security audits and vulnerability assessments to identify and remediate potential security gaps proactively.
• Educate website administrators and staff about phishing tactics and malware threats, emphasizing vigilance in recognizing and avoiding suspicious activities.
• Monitor website traffic and server logs for unusual or unauthorized access patterns that may indicate a security breach.
• Consider using security plugins or services that specialize in malware detection and removal to enhance site security and protect against skimming attacks.