The Christmas holiday shopping season is around the corner and so are the Magecart attackers. Interestingly, these attackers have become more active than ever, with each attack taking place every 16 minutes.
Above all, retailers using the WooCommerce WordPress plugin are the fresh targets of the Magecart attackers. This open-source WordPress plugin is easily customizable and represents 29% of the top one million using e-commerce technologies. This rising popularity has made the plugin prone to Magecart risk.
Researchers at RiskIQ detected three new skimmers targeting retailers using the WooCommerce plugin.
The three skimmers dubbed WooTheme, Slect, and Gateway have been designed to evade detection and enable attackers to steal customers’ banking details.
Attackers exploited vulnerabilities in third-party themes and tools integrated into WooCommerce pages to launch the skimming codes onto the sites.
More details about the skimmers
The WooTheme skimmer code, first discovered in July, was detected in five domains using a compromised WooCommerce theme.
On one website, the skimmer code appeared to be in the ‘error’ section of the compromised domain.
The Slect skimmer makes use of the spelling error of the word ‘select’ in the script to evade detection on compromised sites.
Once the malicious code is injected, it looks for a series of form fields such as open text fields, passwords, and checkboxes.
The Gateway skimmer comes with multiple layers of obfuscation processes that make it difficult for security researchers to detect.
It uses the word ‘gate’ and ‘gateway’ in PHP and js files to remain undetected.
According to researchers, the WooCommerce of the Gateway skimmer looks specifically for a Firebug web browser extension which was discontinued in 2017.
The discovery of new skimmers indicates how threat actors are coming up with unique ways to gain access, deploy, and hide their tools on victim websites. Therefore, retailers must raise their readiness for credit card skimming attacks. Besides this, having robust malware detection methods, and regularly inspecting the crontab commands for strange contents can reduce the risk of such attacks.