WordPress WooCommerce sites targeted by card swiper attacks

Credit card swipers have found a hard-to-detect way to target WordPress websites using the WooCommerce plugin by secretly modifying legitimate JavaScript files.

That’s according to web security company Sucuri, which has detailed a recent attack it was called into investigate on a site that had experienced a mysterious spate of credit card fraud.

How this was happening wasn’t clear until Sucuri ran an integrity check on the files (comparing the files present with a known default state) and it became clear that the attackers had hidden malicious JavaScript code inside a system file.

This is unusual because most attacks on ecommerce systems involve appending code at the end of a file, a technique which is effective but easier for defenders to spot.

When it comes to attacks against smaller ecommerce sites, it’s also usually simpler to change payment details, forwarding funds to a malicious account.

In this incident, the attackers had gone to some trouble to cover their tracks, apparently even clearing the stolen data they cached on the site after the attack.

The most significant giveaway sign on the WordPress CMS was that a PHP file was added to ensure the malicious code loaded, Sucuri said.

The important question is how the attackers got into the site in the first place. Unfortunately, that’s less clear although the most likely route is either a compromise of the admin account or by exploiting a software vulnerability in WordPress or WooCommerce.

Sucuri’s Ben Martin warned that although this type of WooCommerce attack is still the exception, this isn’t the only time he’s seen it.

Since working on this website, I have seen a handful of other cases, all with varying payloads.

Ecommerce skimming attacks have become a major problem in the last three years, with several large companies using the Magento platform being hit by a malware outfit called Magecart that netted huge sums.

The objective in this type of attack is to exploit a security weakness to bury malicious code on payments systems, capturing the credit card details as customers enter them.

Customers get the products or services they paid for, while in the background the criminals have captured the data they need to commit card fraud.

These attacks are often not detected until card victims complain, which appears to be what happened in the case documented by Sucuri.

Despite its growing popularity, the open source WordPress plugin WooCommerce has avoided the worst of this, perhaps because it’s used by smaller websites that are viewed as small fry. Perhaps that’s now changing.

It’s a reminder that all ecommerce shops need careful defence. In the case of WooCommerce, these include changing the default WordPress username from admin to something attackers will find difficult to guess, as well as using a strong password.

In addition to more specific security settings such as limiting login attempts and using two-factor authentication, it’s also critical to keep the WordPress and the WooCommerce plugins up to date.

Sucuri’s Martin also recommends:

Disable direct file editing for wp-admin by adding the following line to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true );


Latest Naked Security podcast

go top