A new credit card stealing hacking campaign is doing things differently than we have seen in the past by hiding their malicious code inside the ‘Authorize.net’ payment gateway module for WooCommcerce, allowing the breach to evade detection by security scans.

Historically, when threat actors breach a commerce site like Magenta or WordPress running WooCommerce, they inject malicious JavaScript into the HTML of the store or customer checkout pages. 

These scripts will then steal inputted customer information on checkout, such as credit card numbers, expiration dates, CVV numbers, addresses, phone numbers, and email addresses.

However, many online merchants now work with security software companies that scan the HTML of public-facing eCommerce sites to find malicious scripts, making it harder for threat actors to stay hidden.

To evade detection, the threat actors are now injecting malicious scripts directly into the site’s payment gateway modules used to process credit card payments on checkout.

As these extensions are usually only called after a user submits their credit card details and checks out at the store, it may be harder to detect by cybersecurity solutions.

The campaign was discovered by website security experts at Sucuri after being called in to investigate an unusual infection on one of their client’s systems.

Targeting payment gateways

WooCommerce is a popular eCommerce platform for WordPress used by roughly 40% of all online stores.

To accept credit cards on the site, stores utilize a payment processing system, such as Authorize.net, a popular processor used by 440,000 merchants worldwide.

On the compromised site, Sucuri discovered that threat actors modified the “class-wc-authorize-net-cim.php” file, one of Authorize.net’s files supporting the payment gateway’s integration to WooCommerce environments.

The code injected at the bottom of the file checks if the HTTP request body contains the “wc-authorize-net-cim-credit-card-account-number” string, which means it carries payment data after a user checks out their cart on the store.

If it does, the code generates a random password, encrypts the victim’s payment details with AES-128-CBC, and stores it in an image file that the attackers later retrieve.

A second injection performed by the attackers is on “wc-authorize-net-cim.min.js,” also an Authorize.net file.

The injected code captures additional payment details from input form elements on the infected website, aiming to intercept the victim’s name, shipping address, phone number, and zip/postal code.

Evading detection

Another notable aspect of this campaign is the stealthiness of the skimmer and its functions, which make it particularly hard to discover and uproot, leading to extended periods of data exfiltration.

First, the malicious code was injected in legitimate payment gateway files, so regular inspections that scan websites’ public HTML or look for suspicious file additions wouldn’t yield any results.

Secondly, saving stolen credit card details on an image file isn’t a new tactic, but strong encryption is a novel element that helps attackers evade detection. In past cases, threat actors stored stolen data in plaintext form, used weak, base64 encoding, or simply transferred the stolen information to the attackers during checkout.

Thirdly, the threat actors abuse WordPress’s Heartbeat API to emulate regular traffic and mix it with the victims’ payment data during exfiltration, which helps them evade detection from security tools monitoring for unauthorized data exfiltration.

As MageCart actors evolve their tactics and increasingly target WooCommerce and WordPress sites, it is essential for website owners and administrators to stay vigilant and enforce robust security measures.

This recent campaign discovered by Sukuri highlights the growing sophistication of credit card skimming attacks and the attackers’ ingenuity in bypassing security.