This is not the first time WooCommerce e-shops have been involved attacks credit card theft (also known as Magecart attacks), as stated by her Willem de Groot Sanguine Security. In August 2018 some hackers tried to violate WooCommerce sites using his technique brut-forcing to discover codes access of administrators.
"Of course, WooCommerce and other e-commerce WordPress-based sites have been targeted by hackers in the past, but were usually limited to modifying payment details," explained Sucuri's Ben Martin.
"For example, hackers were promoting payments to PayPal e-mail of the intruder instead of the account of the legal owner of the site. What we are seeing now is something quite new. "
New card skimming approach
The attack was discovered by Martin after the reports of many users WordPress and WooCommerce sites, about fraudulent credit card transactions.
"As is usually the case with PHP malware, many levels of encryption are used in an attempt to avoid detection and hide the underlying code."
The skimmer cleans its traces
The stolen credit card details are stored in two archives image stored in the wp-content / uploads directory.
However, as Martin discovered, the skimmer was able to cover its tracks, as the files were emptied when the analysis of the violated sites started.
While usually the entry point used by attackers to infect a WooCommerce or other e-commerce site is easy to spot, this time it was not so obvious.
"It could be a compromised administrator account, an SFTP code or some vulnerable software," Martin added.
"One thing I would recommend to anyone interested in it safety of WooCommerce or their WordPress site is to disable instant file processing by adding the following line to wp-config.php, ”he added.