Magecart is a cyberattack involving digital credit card theft by injecting malicious code into e-commerce sites that skims online payment forms. This style of attack came to prominence against its titular e-commerce platform Magento. However, the many skimming groups worldwide target nearly every web environment and payment platform, including dozens of other online shopping platforms, especially widely used free and inexpensive options. One of these plugins is WooCommerce.
WooCommerce, an open-source WordPress plugin widely used by online retailers, has been the target of Magecart activity in late 2021. RiskIQ researchers have found three unique skimmer types embedded in WooCommerce checkout pages.
WooCommerce and Magecart
We've found three new Magecart attacks taking advantage of potential vulnerabilities and weaknesses in WooCommerce. WooCommerce is notably popular because it's simple, free to use, and easily customizable. According to research by Barn2, a software company specializing in WordPress and WooCommerce products, WooCommerce represents 29% of the top one million sites using e-commerce technologies, exceeding five million active installs of the free plugin as of early 2021.
WooCommerce, just like Shopify and Magento, are so heavily used in e-commerce that it's not hard to understand why it's a lucrative target for nefarious actors. Retailers that use third-party themes and tools to integrate into their WooCommerce pages are particularly prone to Magecart risk.
However, WooCommerce's ubiquity and the frequency with which i's targeted make it difficult to tie specific attribution to many skimming attacks. As we've covered in many articles about Magecart activity and evolution, qualifying activity as a Magecart attack requires us to see specific criteria: unique infrastructures, skimmers, and targeting behavior.
Below, we'll cover the three new skimmers we've identified targeting retailers using the WooCommerce plugin:
The WooTheme Skimmer
RiskIQ detected the first Magecart skimmer across five domains using a compromised WooCommerce theme. The skimmer, dubbed the WooTheme skimmer, is relatively simplistic and makes its functionality reasonably easy to understand.
Operators obfuscated the skimming code in all discovered iterations, except one. However, this one instance appears to be in error, as RiskIQ detected the obfuscated skimmer on the same compromised domain before the clear text version appeared.
Researcher unmaskparasites discovered this same skimmer in July 2021, highlighting similar findings of an exfil domain within the theme's function.php and the identical destination within the query.slim.js file.
The Slect Skimmer
Generic skimmers are in high demand and easy to find. They're repeatedly used across the same infrastructure, even by different threat actors, who add unique elements to the skimmer for their specific needs. However, detecting minor changes in skimmers helps us ascertain the patterns that tell us if Magecart activity is new. In this case, what appears to be a spelling error of the word "select" in the script gave it away as a never-before-seen skimmer and led us to call it the 'Slect' skimmer.
Once the DOM content is fully loaded, the Slect skimmer does two interesting things. It will look for a series of form fields that the skimmer does not want to pull data from, such as open text fields, passwords, and checkboxes. Next, an event listener listens for a click on a button, likely to evade sandboxing by security researchers.
The exfil domain found within the skimmer has been previously associated with other Magecart infrastructure and identified by RiskIQ research Jordan Herman as being used by a variant of the Grelos skimmer.
The Gateway Skimmer
This last skimmer was piled high with multiple layers and steps by the actor to hide and obfuscate processes. The skimmer code is massive and difficult to digest while obfuscated and runs a few unique functions observed in other skimmers. Throughout different iterations of this skimmer, the word "gate" and "gateway" in .php and .js files helped us identify it as unique and dub it the 'Gateway' skimmer.
However, after peeling back the obfuscation throughout the legitimate code in this skimmer, RiskIQ researchers found a skimmer that we've been detecting since 2019. This skimmer even exfiltrates PII and credit card data to the same c2 domain as this familiar skimmer. Interestingly, this WooCommerce version of the Gateway skimmer looks specifically for a Firebug web browser extension (long since discontinued in 2017).
Defend Your Organization This Holiday Shopping Season
RiskIQ continues to evolve detection of credit card skimmers and Magecart activity, broadening the knowledge base on these types of attacks. While in the thick of the holiday season, an increase in e-commerce targeting puts retailers and online shoppers particularly at risk.
WooCommerce users are often small and medium-sized businesses, sometimes considered the most vulnerable, as they lack resources for complex and highly-vetted third-party tools. As we've seen over the years, both small and large retailers can be the targets of Magecart skimming.
RiskIQ's detections of skimmers and other malware show countless clever ways threat actors gain access, deploy, and hide their tools on victim websites. Beyond having robust detections for malware, website operations should regularly inspect their crontab commands for strange contents, ensure that access permissions are correct, and audit file access to it.
We continue to make compromised retailers aware of our findings and work diligently to raise awareness of credit card skimming globally. You can visit RiskIQ's Threat Intelligence Portal to read our full analysis of these skimmers targeting WooCommerce and access the list of IOCs that surfaced in our investigation.
RiskIQ has also launched An E-commerce Guide: 12 Ways to Unmask Cyber Threats This Holiday Shopping Season to help e-commerce organizations identify cyber threats targeting their brand and their customers.