Of late, WooCommerce, a plugin that turns a WordPress site into an e-commerce platform is gaining popularity among the developer and business community. As a result, hackers have shifted their focus towards WordPress WooCommerce websites to target them frequently.
WordPress sites under credit card hack
Hackers have been caught using a ‘credit card swiper injection’ to seal credit card details of people making a purchase on WooCommerce WordPress sites. Hackers trying to target WooCommere WordPress sites isn’t something new. What’s perhaps new is the fact that attackers are using a dedicated credit card swiping malware within WordPress.
In the past, attacks were limited to hackers forwarding payments to their PayPal account. However, attackers stealing credit card information pose a much bigger risk now.
In its recent analysis, Sucuri that is a GoDaddy-owned website security company wrote:
“Naturally, WooCommerce and other WordPress-based ecommerce websites have been targeted before, but this has typically been limited to modifications of payment details within the plugin settings.”
“For example, forwarding payments to the attacker’s PayPal email instead of the legitimate website owner. Seeing a dedicated credit card swiping malware within WordPress is something fairly new.
In this case, hackers were actively using JavaScript injection to append a malicious code in a JQuery file, which is located on this path: /wp-includes/js/jquery/jquery.js. This technique is a little harder to detect since hackers are using a script with an already existing, legitimate file.
Upon analyzing further, researchers observed that the technique relies on the file_put_contents function to store credit card details into two separate image files within the wp-content/uploads directory structure.
However, the contents had already been removed by the time researchers tried to analyze the hack. It raises another possibility that the malware may be capable of ‘covering its own track’ and automatically clearing these files after attackers had successfully captured credit card details.
It could have been the result of a compromised WordPress wp-admin account, SFTP password, hosting password, or a piece of vulnerable software in the environment. Researchers recommend WordPress owners to disable direct file editing for wp-admin.
File integrity monitoring and regularly checking the integrity of core WordPress files are of paramount importance to safeguard your WordPress websites and servers against outside threats.
It is recommended that you change your admin and other passwords right away. You may want to also disable direct file editing for wp-admin.
