• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
WooCommerce Credit Card Stealer Concealed in Fake JPG

WooCommerce Credit Card Skimmers Concealed In Fake Images

May 3, 2022Matt Morrow

FacebookTwitterSubscribe

Our research and remediation teams have noticed an increase in WooCommerce credit card skimmers on client sites over the past few years, as detailed in past blog posts.

Due to the increased number of plugins and components facilitating online payments and its ease of use, WordPress has become a common e-commerce platform — and the frequency in which the popular CMS is being targeted by attackers aiming to steal sensitive personal information and credit card details is also accelerating.

We recently uncovered a case where a credit card swiper had been injected into WordPress’ wp-settings.php file. The only symptom our customer reported was that images were disappearing from the WooCommerce cart almost as soon as they were uploaded.

Examining the Malware

Taking a look at wp-settings.php, we could see the following include statement.

wp-settings.php file hiding credit card stealer

Because the include was buried deep down into the file, it was easy to miss on a casual review. Additionally, because the include itself does not follow any malware patterns, it could be missed by malware scanners looking for specific signatures. Furthermore, because the malicious file being included was located above the site directory, a cursory scan of the site files would have also missed that.

Attackers often like to place malicious content out of the way so it is more difficult to detect. One tactic they use is to create directories that look like system directories, or to place malware in existing core CPanel or other server directories.

Taking a look at ../../Maildir/sub.main, we found over 150 lines of code which had been obfuscated with str_rot13 and base64. Here is an example from the beginning of the file.

Decoded Obfuscated Credit Card Stealer

After decoding the entire file, we found additional obfuscated content — most importantly, right at the top of the decoded output, we found functions to store credit card data concealed in the wp-content/uploads/highend/dyncamic.jpg image file.

Fake dyncamic JPG conceals credit card skimmer

Upon inspection, we could see several additional lines of obfuscated data.

Encoded data

When decoded, that data revealed not only credit card details submitted to the site, but also admin credentials to the site’s backend. We ran a couple of test transactions against the site to confirm the behavior and, sure enough, our test data had been logged in the image file.

This is not the first time that we have seen attackers export stolen credit card details to image files. This begs the question: Why? There are a couple reasons why this is a useful tactic. For starters, it makes it very easy for the attackers to download the stolen details in their browser or a console. Secondly, most website/server malware detection scans focus on website file extensions such as PHP, JS, and HTML. Image files, particularly those in a wp-content/uploads sub-directories, can sometimes be overlooked.

Conclusion & Mitigation Steps

This infection is a great example of the importance of running frequent core file integrity checks, as well as monitoring your environment for any file changes. Most WordPress security plugins will include core file consistency checks. Since most core files shouldn’t change unless you have upgraded your WordPress version, any changes to the core files should be treated as suspicious and could indicate malware. If you don’t have one already, make sure to get file integrity monitoring installed on your site!

It’s also worth noting that you should always keep your plugins and themes up to date. If you have any plugins or themes installed that are not being used you should also remove them, even if they are updated. Attackers are always looking for weak points and just because a vulnerability has not been documented does not mean one does not exist.

By default, WordPress allows the editing of files directly from the wp-admin dashboard. This makes it convenient to modify your website, but makes it equally convenient for attackers to place their payload. Adding some additional authentication requirements on your admin panel is essential for maintaining a secure website.

We encourage you to regularly review the administrators accounts in your site, and change your admin passwords. You can refer to our detailed post which describes password security best practices to protect your website.

If you suspect that your site has been infected, you can sign up for our website firewall and remediation services.

FacebookTwitterSubscribe

Categories: Website Malware Infections, Website Security, WordPress SecurityTags: Black Hat Tactics, Hacked Websites, Obfuscation, Woocommerce

About Matt Morrow

Matt is a Cyber Security analyst who joined Sucuri in 2018. Matt has a long history of working with Linux and Windows servers in a wide context. At Sucuri, Matt's main responsibilities include identifying and removing malware from websites as well as researching emerging malware trends. When Matt isn't focusing his attention there, you will usually find him working on a new piece of music or out in his garden.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.