Credit Card Stealer Targets WordPress Payment Plug-InsMageCart Operators Hide Infection in Legitimate Payment Processing Software
Hackers have repurposed credit card-stealing malware to attack WordPress websites that use a popular e-commerce plug-in to capture and steal payment card details, security researches warn.
Attackers are deploying modified MageCart malware against WordPress websites that use the WooCommerce shopping cart plug-in, says website security firm Sucuri. WordPress plug-in developers Barn2 calculate that more than 40% of "all known online stores" use the plug-in.
An "overwhelming majority" of credit card-skimming malware that Sucuri finds on compromised e-commerce environments target WooCommerce. The modified MageCart injects PHP code into a plug-in file that facilitates the handling of payment data to Authorize.net, a popular Visa-owned payment gateway often used in conjunction with WooCommerce. The injected code checks whether web traffic from infected websites contains a string for payment card numbers. If it does, it dumps an encrypted copy of the card number into a
.jpg file for later downloading.
"Dumping stolen credit card info to an image file is an old trick that we have identified attackers doing for quite a few years," Sucuri writes.
The vulnerabilities in question don't originate with WooCommerce or Authorize.net, Sucuri says, and instead highlight the importance of good website security.
The malware emulates the WordPress Heartbeat API to evade detection, Sucuri says. MageCart derives its name from its original target, the Magento e-commerce platform. Hackers have used it to breach British Airways, unsecured Amazon Web Services cloud storage accounts and jewelry chain Claire's.
Sucuri says it found the modified MageCart malware after a client received a warning from their bank that their website had been identified as potentially compromised since cards used legitimately on the client website had later been used fraudulently.
"If malicious actors compromise an environment they can tamper with existing controls," irrespective of a plug-in's security controls, Sucuri says.