Connect with us

WORDPRESS

Credit Card Stealer Targets WordPress Payment Plug-Ins

Published

on

Credit Card Stealer Targets WordPress Payment Plug-Ins

Card Not Present Fraud
,
Fraud Management & Cybercrime

MageCart Operators Hide Infection in Legitimate Payment Processing Software

Image: Shutterstock

Hackers have repurposed credit card-stealing malware to attack WordPress websites that use a popular e-commerce plug-in to capture and steal payment card details, security researches warn.

See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion

Advertisement

Attackers are deploying modified MageCart malware against WordPress websites that use the WooCommerce shopping cart plug-in, says website security firm Sucuri. WordPress plug-in developers Barn2 calculate that more than 40% of “all known online stores” use the plug-in.

An “overwhelming majority” of credit card-skimming malware that Sucuri finds on compromised e-commerce environments target WooCommerce. The modified MageCart injects PHP code into a plug-in file that facilitates the handling of payment data to Authorize.net, a popular Visa-owned payment gateway often used in conjunction with WooCommerce. The injected code checks whether web traffic from infected websites contains a string for payment card numbers. If it does, it dumps an encrypted copy of the card number into a .jpg file for later downloading.

“Dumping stolen credit card info to an image file is an old trick that we have identified attackers doing for quite a few years,” Sucuri writes.

Advertisement

The vulnerabilities in question don’t originate with WooCommerce or Authorize.net, Sucuri says, and instead highlight the importance of good website security.

The modified MageCart malware also injects JavaScript into the payment gateway code to capture data such as cardholder name, address, phone number and postal code – data that increases the value of stolen payment card data on the black market.

The malware emulates the WordPress Heartbeat API to evade detection, Sucuri says.
MageCart derives its name from its original target, the Magento e-commerce platform. Hackers have used it to breach British Airways, unsecured Amazon Web Services cloud storage accounts and jewelry chain Claire’s.

Advertisement

Sucuri says it found the modified MageCart malware after a client received a warning from their bank that their website had been identified as potentially compromised since cards used legitimately on the client website had later been used fraudulently.

“If malicious actors compromise an environment they can tamper with existing controls,” irrespective of a plug-in’s security controls, Sucuri says.



Source link

Advertisement
Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address