close
close

New Skimmer Malware Targeting E-Commerce Sites

Posted on by darion

Researchers have identified a new variant of a credit card skimming attack, Caesar Cipher Skimmer, that targets multiple content management systems (CMS) including WordPress, Magento, and OpenCart.

The skimmer primarily targets data processing during the checkout process by injecting malicious code into the checkout PHP file. The attack uses obfuscated strings and a Caesar cipher technique to hide the malicious code. This is a significant finding because it is rare for new skimmers to be deployed simultaneously on different platforms.

SiteCheck malware detection for credit card skimmer infections.

A customer reported a credit card theft on his WooCommerce checkout page, where investigation revealed malware injected into the form-checkout.php script, which a recent threat report said will be a common target in 2023, which plays a key role in WooCommerce checkout, making it this is an effective way for attackers to steal credit card information.

In recent gtag skimmer injections, attackers use a Caesar cipher technique to obfuscate malicious code, which involves splitting a string of code into individual characters, reversing the order, and then subtracting a specific value (e.g., 3) from the Unicode value of each character.

Splits a string into single characters

The changed character codes are converted back to characters and recombined into a string, making the script seem less suspicious at first glance, but the use of the String.fromCharCode method and the presence of mixed characters can still be a red flag for security experts.

The supplied obfuscated strings are first concatenated and separated into individual characters, which are then reversed, while Unicode, a character encoding standard, assigns a numeric value to each character.

The str_rot13 function then uses the Caesar cipher, a simple encryption method that changes the value of each character by a fixed amount.

Malware authors use the Caesar cipher technique to obfuscate the domain of malicious content by subtracting the value 3 from each Unicode character of the domain URL, making it more difficult to detect the malicious domain’s antivirus and security vendors.

The malware then connects to the remote server via WebSocket to receive further instructions.

Some versions of the malware can even identify logged-in WordPress users and modify the skimmer’s behavior accordingly. Code comments in the malware script suggest that the developers speak Russian.

there are comments revealing that the developers speak Russian.

According to Sucuri, malware targeting e-commerce platforms has been detected on WordPress, Magento, and Opencart platforms.

Attackers are exploiting vulnerabilities in the WooCommerce form-checkout.php file and the WPCode Insert Headers and Footers plugin on WordPress sites.

In Magento’s case, they target the core_config_data table, where custom code stores JavaScript code for credit card scanning. OpenCart infections have not yet been observed, but the location of the malware is currently being investigated.