Credit cards swipers have discovered a hard-to-detect method to target WordPress websites using the WooCommerce plugin by covertly modifying legitimate JavaScript files.

That’s according to web security organization Sucuri, which has detailed a recent attack it was called into investigate in a website that had experienced a mysterious spate of credit card scams.

Information on how this was occurring wasn’t very clear until Sucuri ran an integrity check on the data files (comparing the files present with a known default state) and it became obvious that the attackers had concealed malware JavaScript code within a system file.

This is certainly unusual because most attacks on ecommerce systems involve appending code at the end of a file, a strategy which works well but easier for defenders to identify.

With regards to attacks against smaller sized ecommerce sites, it’s also usually simpler to change payment details, forwarding funds to a malicious account.

In this incident, the attackers had opted for some trouble to cover their tracks, apparently also clearing the stolen data they cached on the website right after the attack.

The most significant giveaway sign on the WordPress CMS was that a PHP file was included to ensure the malicious code loaded, Sucuri said.

The critical question is how the attackers gained access to the site to begin with. Regrettably, that’s less obvious although the most probably route is either a compromise of the admin account or by exploiting a software vulnerability in WordPress or WooCommerce.

Sucuri’s Ben Martin warned that although this kind of WooCommerce attack remains to be an exception, this isn’t the only occasion he’s seen it.

“Since working on this website, I have seen a handful of other cases, all with varying payloads.” Ben Martin, said.

E-commerce skimming attacks have become a big problem within the last three years, with several huge firms using the Magento platform being struck by a malware outfit called Magecart that netted large sums.

The aim in this kind of attack is to take advantage of a security weakness in order to bury their malicious code on payments systems, capturing the credit card information as customers enter them.

Customers get the items or solutions they paid for, whilst in the background the criminals have captured the info they need to commit card fraud.

These attacks in many cases are not detected until card victims complain, which is apparently what happened in the event documented by Sucuri.

Despite its growing popularity, the open source WordPress plugin WooCommerce has prevented the worst type of this, perhaps because it’s utilized by smaller sized websites that are considered small fry. Probably that’s right now changing.

It’s a reminder that every ecommerce merchants require careful defence. Regarding WooCommerce, included in these are changing the default WordPress username from admin to something attackers will find hard to guess, and also employing a strong password.

Furthermore to more specific security configurations such as for example limiting login attempts and using two-factor authentication, it’s also critical to keep carefully the WordPress and the WooCommerce plugins updated.

Also recommended by Sucuri’s Martin:

Disable direct file editing for wp-admin by adding the following line to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true );

Credit: Content Source