WordPress WooCommerce sites targeted by card swiper attacks

Credit card swipers have found a hard-to-detect way to target WordPress websites using the WooCommerce plugin by secretly modifying legitimate JavaScript files.

That’s according to web security company Sucuri, which has detailed a recent attack it was called into investigate on a site that had experienced a mysterious spate of credit card fraud.

How this was happening wasn’t clear until Sucuri ran an integrity check on the files (comparing the files present with a known default state) and it became clear that the attackers had hidden malicious JavaScript code inside a system file.

This is unusual because most attacks on ecommerce systems involve appending code at the end of a file, a technique which is effective but easier for defenders to spot.

When it comes to attacks against smaller ecommerce sites, it’s also usually simpler to change payment details, forwarding funds to a malicious account.

In this incident, the attackers had gone to some trouble to cover their tracks, apparently even clearing the stolen data they cached on the site after the attack.

The most significant giveaway sign on the WordPress CMS was that a PHP file was added to ensure the malicious code loaded, Sucuri said.

The important question is how the attackers got into the site in the first place. Unfortunately, that’s less clear although the most likely route is either a compromise of the admin account or by exploiting a software vulnerability in WordPress or WooCommerce.

Sucuri’s Ben Martin warned that although this type of WooCommerce attack is still the exception, this isn’t the only time he’s seen it.

Since working on this website, I have seen a handful of other cases, all with varying payloads.

Ecommerce skimming attacks have become a major problem in the last three years, with several large companies using the Magento platform being hit by a malware outfit called Magecart that netted huge sums.

The objective in this type of attack is to exploit a security weakness to bury malicious code on payments systems, capturing the credit card details as customers enter them.

Customers get the products or services they paid for, while in the background the criminals have captured the data they need to commit card fraud.

These attacks are often not detected until card victims complain, which appears to be what happened in the case documented by Sucuri.

Despite its growing popularity, the open source WordPress plugin WooCommerce has avoided the worst of this, perhaps because it’s used by smaller websites that are viewed as small fry. Perhaps that’s now changing.

It’s a reminder that all ecommerce shops need careful defence. In the case of WooCommerce, these include changing the default WordPress username from admin to something attackers will find difficult to guess, as well as using a strong password.

In addition to more specific security settings such as limiting login attempts and using two-factor authentication, it’s also critical to keep the WordPress and the WooCommerce plugins up to date.

Sucuri’s Martin also recommends:

Disable direct file editing for wp-admin by adding the following line to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true );


Latest Naked Security podcast

TikTok users beware: Hackers could swap your videos with their own

Mobile app developers Tommy Mysk and Talal Haj Bakry just published a blog article entitled “TikTok vulnerability enables hackers to show users fake videos“.

As far as we can see, they’re right.

(We replicated their results with a slightly older Android version of TikTok from a few days ago, 15.5.44; their tests included the very latest builds on Android and iOS, numbered 15.7.4 and 15.5.6 respectively.)

We used a similar approach to Mysk and Haj Bakry to look at the network traffic produced by TikTok – we installed the tPacketCapture app on Android and then ran the TikTok app for a while to flip through a few popular videos.

The tPacketCapture app works rather like tcpdump on Unix/Linux computers, logging your network packets to a file called a .pcap (short for packet capture) that you can analyze later at your leisure.

We imported our .pcap file back into Wireshark on Linux, which automatically “dissects” the captured packets to give you a human-readable interpretation of their contents.

As you’d expect, a lot of TikTok’s network conversation is encrypted using TLS to create HTTPS (secure HTTP) connections, as you can see if we extract a representative subset of TLS setup packets from our capture file:

 TLSv1.2 Client Hello TLSv1.2 Server Hello, Certificate TLSv1.2 Certificate Status, Server Key Exchange, Server Hello Done TLSv1.2 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message TLSv1.2 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message TLSv1.2 Client Hello TLSv1.2 Server Hello, Certificate, Certificate Status, Server Key Exchange, Server Hello Done TLSv1.2 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message TLSv1.2 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message, Application Data TLSv1.2 Client Hello TLSv1.2 Server Hello TLSv1.2 Certificate, Certificate Status, Server Key Exchange, Server Hello Done TLSv1.2 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message TLSv1.2 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message, Application Data

So the TikTok programmers certainly seem to know about TLS and why it’s important.

But huge swathes of the content that gets sent back from TikTok’s content delivery network (CDN) isn’t encrypted, as this randomly chosen sample of packets from the capture reveals (we shortened the URLs because some of them were very long):

 HTTP GET /img/tos-maliva[...................].webp HTTP/1.1 <--WEBP image HTTP GET /aweme/100x100/tiktok-obj/[........].webp HTTP/1.1 <--WEBP image HTTP GET /b819[....]/5e9533a3/video/tos/[...]&vl=&vr= HTTP/1.1 <--MP4 video HTTP GET /971e[....]/5e9533d2/video/tos/[...]&vl=&vr= HTTP/1.1 <--MP4 video HTTP GET /img/musically-maliva-obj/1[.......].jpeg HTTP/1.1 <--JPEG image HTTP GET /obj/musically-maliva-obj/UK_DE_comedy.jpg HTTP/1.1 <--JPEG image HTTP GET /img/musically-maliva-obj/1[.......].jpeg HTTP/1.1 <--JPEG image

The data fetched using plain old unencrypted HTTP requests included profile pictures, still frames from videos, and the videos themselves.

What harm done?

At this point, you might be wondering, “If all the data transmitted via HTTP is already available for anyone to view, what harm does this cause?”

For example, it took us a few seconds to extract these avatar images and video stills directly from the unencrypted data that we found in our packet dump:

But we were also able to view all that content in the app without logging in – in other words, those images were already intended, by the people who uploaded them in the first place, to be visible to anyone who cared to look.

Anyone, in fact, who merely downloaded and played around with the TikTok app for a few minutes, as we did.

However, as Mysk and Haj Bakry pointed out in their article, there are two important reasons why apps of this sort should use HTTPS for everything:

  • Privacy. Anyone sniffing your TikTok traffic can easily tell what videos you’re watching, which profiles you’ve come across, and the order in which you’re moving through the site. That gives away something about you – your likes, dislikes and concerns, for example; perhaps even hints about your friends and family. And there is simply no excuse for apps to let other people on the network make inferences of that sort through simple network sniffing.
  • Authenticity. Anyone who can divert your web requests to a server of their own – the owner of the Wi-Fi network in your building or house, for example – could modify HTTP traffic undetected, so they could feed you fake videos in place of the ones you were supposed to see. Remember that HTTPS not only encrypts the traffic you receive so that other people can’t snoop on it, but also protects its integrity so that it can’t be tampered with along the way.

Indeed, Mysk and Haj Bakry’s post includes some short videos showing fake coronavirus news videos inserted into the TikTok app where you certainly wouldn’t expect to see them.

They delivered their “fake news” by booby-trapping their own network router to redirect requests from TikTok’s CDN to use their own video server instead.

But if the TikTok app were using HTTPS throughout, that sort of deception would be considerably more difficult because their router would not have the right HTTPS certificate to vouch for their swapped-out content, so the app would reject it.

What to do

As far as we can see, TikTok has made the same sort of programming blunder that Tinder made (and then hurriedly fixed) back in 2018.

TikTok’s regular website does seem to use HTTPS for serving up videos; but its app, perhaps for reasons of simplicity and speed, does not.

That’s good news, because it implies that TikTok’s CDN is already perfectly well-equipped to handle HTTPS requests, and therefore that the company ought to be able to update its app quickly to bring it into the 2020s.

In the meantime, we’ll repeat the advice we gave when Tinder had to rush to add HTTPS into its app two years ago:

  • For TikTok users. Be careful how seriously you take any of the videos that you see in the app – they could be swapped out fairly easily. If it’s a video of someone dropping Mentos into a toilet bowl filled with Diet Pepsi (spoiler: big mess!), falsification doesn’t matter much. But if you are looking for advice on the coronavirus pandemic, don’t rely on TikTok videos until this issue is fixed. If you are worried about how much others on your network might learn about you by eavesdropping on your TikTok viewing habits, stop using the TikTok app and stick to the website instead.
  • For the TikTok programmers. You’ve got all the images and videos on secure servers already, so stop cutting corners (we’re guessing you thought it would speed the mobile app up a bit to have the images unencrypted). Switch your mobile app to use HTTPS throughout.
  • For software engineers everywhere. Don’t let the product managers of your mobile apps force you to take security shortcuts. If you outsource your mobile development, don’t let the design team convince you to let form run ahead of function. In 2020, HTTPS isn’t “nice to have in a future version”, but something that you should not ship without.

Latest Naked Security podcast

ICANN asks registrars to crack down on scam coronavirus websites

When is ICANN going to do something about the explosion of scammy domains spawned by the COVID-19 pandemic?

We can’t, the overseers of the internet said last Tuesday (7 April), throwing its hands in the air and telling domain registrars that they can — and should.

On Wednesday, Agence France-Presse (AFP) reported that the internet domain-name overseers at ICANN – that’s the Internet Corporation for Assigned Names and Numbers – had taken the unusual step of sending a letter to the hundreds of domain name registrars around the globe that are accredited by ICANN to issue new website domain names.

The thing is, ICANN doesn’t have the authority to police website content. We know scammers are running wild, but we’re hamstrung when it comes to stopping them, ICANN chief executive Goran Marby said in the letter:

ICANN cannot, under our bylaw and practically speaking, involve itself in issues related to website content.

That does not mean we are unconcerned or unaware of how certain domain names are being misused in fraudulent activities during this global pandemic.

AFP referred to a recent report from the security research-focused Interisle Consulting Group (ICG) following its review of WHOIS practices among registrars. The report, which was prepared for ICANN, highlights the severity of pandemic scams, which all run on sites provided by registrars around the globe:

The pandemic has led to an explosion of cybercrime, preying upon a population desperate for safety and reassurance. These criminal activities require domain names, which are being used to run phishing, spam, and malware campaigns, and scam sites.

ICG found that last month alone, at least 100,000 new domain names were registered containing terms like “covid,” “corona,” and “virus”, as well as more domains registered to sell items such as medical masks, and yet more domains used to spam out ads for COVID-themed scams.

As of this writing, the number of confirmed malicious COVID-related domains is in the thousands.

The date on the report: 31 March. A few days before that, we saw an example when hijacked Twitter accounts were used to advertise face masks.

Also in late March, the US Department of Justice (DOJ) began prosecuting scam sites, starting with a domain that was hawking the phony-as-a-$3-bill “free coronavirus vaccine”, purportedly from the World Health Organization (WHO), for “only $4.95 to cover shipping costs”.

Who does that? A whole lot of low-lifes, that’s who, as ICANN security chief John Crain told AFP:

COVID-19 is unique in that it is truly global. And the cyber bad guys haven’t drifted toward it – they have rushed toward it like a barrel off Niagara Falls. This is a new low, preying on people at a time like this.

Crain noted that ICANN isn’t a regulator, and it has no enforcement authority per se. The letter lacked regulatory weight; rather, it was meant to remind registrars that “this is not about business as usual,” he said.

Some ARE trying to stop the bad domains

ICANN is throwing its hands in the air, but those hands are, admittedly, tied. But while all it can manage is a “C’mon, guys”, there are people actually taking real, practical action to stem the flow of these scumbag domains.

One such is the COVID-19 Cyber Threat Coalition (CTC): a global volunteer community of individuals and companies that’s come together in the last few weeks to combat cyber threats that are exploiting the pandemic. Sophos is a sponsor.

One of the things the group does is to produce blocklists of known, bad coronavirus-related URLs, domains and IP addresses. It also offers threat advisories, research and mitigation strategies.

As Naked Security’s Mark Stockley points out, it’s not a replacement for what ICANN is trying to do. The group is just another part of the effort to keep us from drowning in pandemic profiteering and misdirection:

ICANN is trying to plug the leak while the COVID-19 CTC is trying to bail out the boat.

Here’s another resource when it comes to fighting the scam spewers: Sophos News is maintaining an ongoing, live report about COVID-19 threats that it’s continuously updating with new information as it becomes available.

Stay safe, be well, and by all means, throw your hat in the ring if you have threat intelligence you can contribute to the CTC. Here’s how.


Latest Naked Security podcast

Monday review – the hot 15 stories of the week

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

Monday 6 April 2020

Tuesday 7 April 2020

Wednesday 8 April 2020

Thursday 9 April 2020

Friday 10 April 2020

Latest Naked Security podcast

Latest Naked Security Live video

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

News, straight to your inbox

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Sextortion emails and porn scams are back – don’t let them scare you!

We’ve seen a recent surge of concern about sextortion emails over the last few days.

A sextortion or porn scam email is where cybercriminals email you out of the blue to claim that they’ve implanted malware on your computer, and have therefore been able to keep tabs on your online activity.

The crooks go on to claim that they’ve taken screenshots of you looking at a porn site – along with video recorded from your webcam.

They say they’ve put the screenshots and the webcam footage side-by-side to create an embarrassing video that they’re going to send to your friends and family…

…unless you pay them blackmail money, usually somewhere from $1,500 to $4,000, paid in bitcoins to a BTC address that the crooks provide in the email.

The latest one doing the rounds looks like this (the actual content varies considerably from scam to scam but the basic idea is the same):

I’m aware, [REDACTED] is your password. You may not know me, and you are most likely wondering why you’re getting this mail, right?

Overview:

I installed a malware on the adult vids (sex sites) site, and there’s more, you visited this site to have fun (you know what I mean). Once you were there on the website, my malware took control of your browser.

It started operating as a keylogger and remote desktop protocol which gave me access to your webcam. Immediately after that my software collected your complete contacts from your Messenger, FB, and email. I created a double-screen video. First part shows the video you were watching (you have a good taste lol…), and the second part displays the recording of your webcam.

Precisely what should you do?

Well, I believe, $1900 is a fair price for your little secret. You will make the payment through Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).

In reality, the video doesn’t exist and the whole thing is a scam to prey on your fears.

Why would you believe the crooks?

As many Naked Security readers have pointed out, if the crooks really wanted to convince you they had such a video, they’d put a still frame or a short clip from it in the sextortion email.

But they don’t have a video so they have to invent some “proof” that they have access to your computer.

In the example above, the crooks have included a password of yours (it may actually have been a password you used, but it probably dates back many years); in other sextortion samples, we’ve seen the crooks including phone numbers instead.

Usually, the crooks get this “evidence” from information that’s already circulating in the cybercriminal underworld as the result of a data breach, so the “proof” they have didn’t come from your computer at all, and doesn’t “prove” anything.

What to do

These emails are scams, and are just a pack of lies to frighten you into sending money.

Our advice is simply to delete the offending emails and move on, but you may have friends or family who have received one of these emails and are afraid of ignoring it.

Even if they never watch porn and don’t have a webcam, they may feel scared and confronted by the claims of malware implanted on their computer.

To help set your mind at rest, we made this video:

[embedded content]

By the way, if you’re looking for free anti-virus tools of the type we recommended in the video, you’ll find links in our Free Tools section below, from Sophos Home for Windows and Mac all the way to Sophos Antivirus for Linux.


Latest Naked Security podcast

go top