WooCommerce Credit Card Skimmers Concealed In Fake Images

  • May 3, 2022
WooCommerce Credit Card Stealer Concealed in Fake JPG

Our research and remediation teams have noticed an increase in WooCommerce credit card skimmers on client sites over the past few years, as detailed in past blog posts.

Due to the increased number of plugins and components facilitating online payments and its ease of use, WordPress has become a common e-commerce platform — and the frequency in which the popular CMS is being targeted by attackers aiming to steal sensitive personal information and credit card details is also accelerating.

We recently uncovered a case where a credit card swiper had been injected into WordPress’ wp-settings.php file. The only symptom our customer reported was that images were disappearing from the WooCommerce cart almost as soon as they were uploaded.

Examining the Malware

Taking a look at wp-settings.php, we could see the following include statement.

wp-settings.php file hiding credit card stealer

Because the include was buried deep down into the file, it was easy to miss on a casual review. Additionally, because the include itself does not follow any malware patterns, it could be missed by malware scanners looking for specific signatures. Furthermore, because the malicious file being included was located above the site directory, a cursory scan of the site files would have also missed that.

Attackers often like to place malicious content out of the way so it is more difficult to detect. One tactic they use is to create directories that look like system directories, or to place malware in existing core CPanel or other server directories.

Taking a look at ../../Maildir/sub.main, we found over 150 lines of code which had been obfuscated with str_rot13 and base64. Here is an example from the beginning of the file.

Decoded Obfuscated Credit Card Stealer

After decoding the entire file, we found additional obfuscated content — most importantly, right at the top of the decoded output, we found functions to store credit card data concealed in the wp-content/uploads/highend/dyncamic.jpg image file.

Fake dyncamic JPG conceals credit card skimmer

Upon inspection, we could see several additional lines of obfuscated data.

Encoded data

When decoded, that data revealed not only credit card details submitted to the site, but also admin credentials to the site’s backend. We ran a couple of test transactions against the site to confirm the behavior and, sure enough, our test data had been logged in the image file.

This is not the first time that we have seen attackers export stolen credit card details to image files. This begs the question: Why? There are a couple reasons why this is a useful tactic. For starters, it makes it very easy for the attackers to download the stolen details in their browser or a console. Secondly, most website/server malware detection scans focus on website file extensions such as PHP, JS, and HTML. Image files, particularly those in a wp-content/uploads sub-directories, can sometimes be overlooked.

Conclusion & Mitigation Steps

This infection is a great example of the importance of running frequent core file integrity checks, as well as monitoring your environment for any file changes. Most WordPress security plugins will include core file consistency checks. Since most core files shouldn’t change unless you have upgraded your WordPress version, any changes to the core files should be treated as suspicious and could indicate malware. If you don’t have one already, make sure to get file integrity monitoring installed on your site!

It’s also worth noting that you should always keep your plugins and themes up to date. If you have any plugins or themes installed that are not being used you should also remove them, even if they are updated. Attackers are always looking for weak points and just because a vulnerability has not been documented does not mean one does not exist.

By default, WordPress allows the editing of files directly from the wp-admin dashboard. This makes it convenient to modify your website, but makes it equally convenient for attackers to place their payload. Adding some additional authentication requirements on your admin panel is essential for maintaining a secure website.

We encourage you to regularly review the administrators accounts in your site, and change your admin passwords. You can refer to our detailed post which describes password security best practices to protect your website.

If you suspect that your site has been infected, you can sign up for our website firewall and remediation services.

Matt is a Cyber Security analyst who joined Sucuri in 2018. Matt has a long history of working with Linux and Windows servers in a wide context. At Sucuri, Matt's main responsibilities include identifying and removing malware from websites as well as researching emerging malware trends. When Matt isn't focusing his attention there, you will usually find him working on a new piece of music or out in his garden.

Related Tags
Related Categories
You May Also Like