The holidays are always a busy time for ecommerce stores. Dealing with an influx of Christmas shoppers, holiday sales and inventory, shipping, and at times, also hackers. Today’s investigation starts out much like many others, with our client reporting an antivirus warning appearing only on their checkout page, of course at the worst possible time right around the end of December.
What first seemed to be a routine case of credit card theft turned out to be a much more interesting infection that leveraged both font, favicon and other less-commonly used files to pilfer credit card details. After running our regular checks for script tags, dodgy third party content and modified core/plugin files and coming up empty handed, it was time to perform a more in-depth analysis of what was going on.
Questionable <div Tags on Checkout
The Web Open Font Format is a font format for use in web pages. WOFF files are OpenType or TrueType fonts, with format-specific compression applied and additional XML metadata added.
Time for an Intensive Scan
So, how exactly do we know that this is a credit card skimmer? For starters, it uses exactly the same type of obfuscation that we are accustomed to seeing in skimmer files. Moreover, once we beautify things and make it a little more readable it becomes obvious:
- CC number
- First and last name
- Expiration date
It’s also gathering some details not always seen in such skimmer files like the victim’s user agent and language.
Credit card details alone are not sufficient to use a stolen credit card number, so further down the file we also see the typical additional information being stolen:
- Postal / Zip code
Bonus Login and Cookie Stealer
This was also using some unorthodox methods to load into the victim’s browser, again lacking customary <script tags:
Once we unpack some of this code, we can see the classic atob( function (base64 decode) being used:
And when we decode that from base64, we can see a known malware domain that has been involved with malware attacks for the better part of a year:
Varied File Extensions to Hide Payload
This is not the first time that a bogus favicon has been used in a skimming attack, and certainly not the first time image files have been used. Font files have also been found to be used in MageCart attacks by other security researchers, but it’s certainly not something that we see every day. We’ve been tracking similar infections since about 2019.
You also may have noticed that the payload .woff files reside within several of the ./wp-content/uploads directories, rendering them undetectable to a core file integrity check (present in almost all WordPress security plugins).
Attackers are always finding new and creative methods to hide their payloads. Web security scans tend to focus on files that make up the core of a website structure like .php or .js so it only makes sense that some of the more crafty attackers would find new file extensions to exploit and find creative ways to inject that content into victim browsers.
Fortunately, once our client placed their website behind our firewall service and, crucially, used it to add an extra level of authentication to their wp-admin panel, the attackers have not been able to return since.
This case is a very good example of how MageCart threat actors are increasingly targeting WordPress websites using WooCommerce, a trend which we first observed in the last months of 2019 and early 2020. Ecommerce site owners should take steps to harden their wp-admin administration panel and make it more difficult for attackers to compromise these environments.