Researchers at website security company Sucuri have discovered new WordPress malware used by threat actors to find and identify the WooCommerce online stores with many customers to be targets for future Magecart attacks.
WooCommerce is an open-source WordPress plugin with over 5 million active installations. It is designed to simplify the management of e-commerce sites used to “sell anything anywhere.”
However, attacking the WooCommerce online store is nothing new.
Plugins with errors for hacking into electronic stores
To crack the WooCommerce-based online store and drop new malware, hackers are exploiting security holes in other WordPress plugins.
By exploiting these flaws, they will be able to access the online store’s internal structure and find out whether the site uses the WooCommerce platform. They will then collect and extract information about WooCommerce installation on servers controlled by attackers.
“It is important to note that, by default, the WooCommerce plugin does not store payment card data-an attacker cannot just steal private payment details from the WordPress database,” the malware researcher said.
The malware installation is in the form of a malicious PHP script and is part of the exploitation steps after successfully compromising the WordPress site.
Although Sucuri has not specified the purpose of this information, malware operators can use orders and payment information to decide whether it is worth deploying a skimmer specifically for online stores.
This will enable them to focus their energy on online stores that receive a lot of traffic and orders, and as a result, avoid wasting time on e-commerce stores that are idle or don’t have many customers.
The WordPress malware will also implement three backdoors on the infected website. This will be very useful if the attacker decides to return and implement a network skimmer.
Leal concluded: “This malware is a good example of an attacker using unauthorized access to identify potential new targets in a compromised host environment.”