In the realm of cybersecurity exploration, a discovery has been made regarding a credit card skimming apparatus cunningly camouflaged within a counterfeit Meta Pixel tracking script, executed with the intent of circumventing detection.
Sucuri has disclosed that the malevolent software infiltrates websites through instruments enabling customized coding, such as WordPress plugins like Simple Custom CSS and JS or the “Miscellaneous Scripts” segment of the Magento administrative interface.
Elucidating on this, security analyst Matt Morrow accentuated the popularity among malicious entities of custom script editors, given their capacity to integrate external third-party (and potentially harmful) JavaScript, while simultaneously feigning innocence through nomenclature reminiscent of established scripts like Google Analytics or libraries such as JQuery.
The spurious Meta Pixel tracking script unearthed by the cybersecurity firm boasts semblances to its genuine counterpart, yet upon meticulous inspection, reveals the incorporation of JavaScript coding that substitutes references to the domain “connect.facebook[.]net” with “b-connected[.]com.”
Although the former domain is legitimately associated with Pixel tracking functionality, its replacement counterpart serves the purpose of loading an additional malevolent script (“fbevents.js”), tasked with surveilling whether a user is navigating a checkout page, and if affirmative, deploying a deceitful overlay to pilfer their credit card particulars.
It is noteworthy that “b-connected[.]com” represents a legitimate e-commerce platform that has, at some juncture, fallen victim to compromise, becoming a conduit for housing the skimming code. Furthermore, the data inputted into the counterfeit form is surreptitiously transmitted to yet another compromised domain (“www.donjuguetes[.]es“).
To mitigate such vulnerabilities, it is imperative to ensure the continual upkeep of websites, conduct periodic reviews of administrative accounts to validate their legitimacy, and regularly refresh passwords.
This becomes especially pertinent given the proclivity of threat actors to exploit weak passwords and vulnerabilities in WordPress plugins to acquire elevated privileges within a target site, subsequently inserting illicit administrative users, thereby facilitating various nefarious activities, including the addition of supplementary plugins and backdoors.
Morrow elucidated further, highlighting the propensity of credit card thieves to lie dormant until specific triggers such as ‘checkout’ or ‘onepage’ keywords are activated. Consequently, detection may be delayed until the completion of the checkout page loading process, compounded by the dynamic generation of said pages based on cookie data and other variables, rendering them elusive to public scanners. Thus, the sole recourse for identifying such malware is to scrutinize page source codes or monitor network traffic, as these scripts operate surreptitiously in the background.
This revelation coincides with Sucuri’s disclosure of another malware targeting WordPress and Magento sites, known as Magento Shoplift, with earlier iterations surfacing as far back as September 2023.
The modus operandi commences with the insertion of obfuscated JavaScript fragments into legitimate JavaScript files, responsible for initiating the retrieval of a secondary script from jqueurystatics[.]com via WebSocket Secure (WSS), designed to facilitate credit card skimming and data exfiltration under the guise of a Google Analytics script.
Reflecting on this, researcher Puja Srivastava underscored the burgeoning prominence of WordPress in the e-commerce arena, attributable to the widespread adoption of platforms such as Woocommerce, which seamlessly transform WordPress sites into fully-fledged online marketplaces. However, this very ubiquity renders WordPress stores prime targets for malevolent actors, prompting them to adapt their MageCart e-commerce malware to encompass a broader spectrum of CMS platforms.
