WooCommerce Credit Card Skimmers Hiding in Fake Images
Our research and remediation teams have noticed an increase in WooCommerce credit card skimmers on customer sites over the past few years, as detailed in previous blog posts.
Due to the increased number of plugins and components facilitating online payments and its ease of use, WordPress has become a mainstream e-commerce platform – and the frequency with which the popular CMS is targeted by attackers aiming to stealing sensitive personal information and credit card details are also accelerating.
We recently discovered a case where a credit card reader was injected into WordPress’ wp-settings.php case. The only symptom reported by our client was that the images disappeared from the WooCommerce cart almost as soon as they were uploaded.
Take a look at wp-settings.phpwe might see the following include statement.
Because the inclusion was buried deep in the file, it was easy to miss the occasional review. Additionally, since the inclusion itself does not follow any malware pattern, it could be missed by malware scanners looking for specific signatures. Also, since the included malicious file was located above the site directory, a quick scan of the site files would have missed that as well.
Attackers often like to place malicious content out of the way so that it’s harder to detect. One tactic they use is to create directories that look like system directories or place malware in the existing base CPanel or other server directories.
Take a look at ../../Maildir/sub.main, we found over 150 lines of code that had been hidden by str_rot13 and base64. Here is an example of the beginning of the file.
After decoding the entire file, we found additional obfuscated content – more importantly, just above the decoded output, we found functions to store credit card data hidden in the wp-content/uploads/highend/dyncamic.jpg image file.
Upon inspection, we were able to see several additional rows of hidden data.
Once decoded, this data revealed not only the credit card details submitted to the site, but also the administrator credentials on the site’s backend. We ran a few test transactions on the site to confirm the behavior and sure enough our test data had been saved to the image file.
This isn’t the first time we’ve seen attackers export stolen credit card details to image files. This begs the question: why? There are several reasons why this tactic is useful. To begin with, it is very easy for attackers to download the stolen details into their browser or a console. Second, most website/server malware detection scans focus on website file extensions such as PHP, JS, and HTML. Image files, especially those from a wp-content/downloads subdirectories, can sometimes be overlooked.
Conclusion and Mitigation Steps
This infection is a prime example of the importance of running basic file integrity checks frequently, as well as monitoring your environment for any file changes. Most WordPress security plugins will include basic file consistency checks. Since most core files shouldn’t change unless you’ve updated your version of WordPress, any changes to core files should be considered suspicious and could indicate malware. If you don’t already have one, make sure you have File Integrity Monitoring installed on your site!
It should also be noted that you should always keep your plugins and themes up to date. If you have plugins or themes installed that are not in use, you should also remove them, even if they are updated. Attackers are always on the lookout for vulnerabilities, and just because a vulnerability hasn’t been documented doesn’t mean it doesn’t exist.
By default, WordPress allows editing files directly from the wp-admin dashboard. This makes it easier to modify your website, but also allows attackers to place their payload. Adding some additional authentication requirements on your admin panel is essential to maintaining a secure website.
We encourage you to regularly review your site administrator accounts and change your administrator passwords. You can refer to our in-depth article which outlines password security best practices to protect your website.
If you believe your site has been infected, you can sign up for our website firewall and remediation services.