Investigadores da empresa de Sucuri descobriram um novo e-skimmer diferente daqueles malwares usados em ataques Magecart.
Esta peça de malware foi utilizado em ataques a lojas online baseadas em WordPress, usando o plugin WooCommerce.
O e-skimmer não intercepta apenas as informações de pagamento fornecidas pelos utilizadores nos campos de uma página de check-out.
“Naturally, WooCommerce and other WordPress-based ecommerce websites have been targeted before, but this has typically been limited to modifications of payment details within the plugin settings.” reads the analysis published by Sucuri. “For example, forwarding payments to the attacker’s PayPal email instead of the legitimate website owner. Seeing a dedicated credit card swiping malware within WordPress is something fairly new.”
Segundo os especialistas, grande parte do código fonte do e-skimmer foi injetado no ficheiro JavaScript do WordPress: /wp-includes/js/jquery/jquery.js.
“Most JavaScript injections append the code at the very end of the file, but one quirk I noticed about this was that it was inserted before the ending jQuery.noConflict();” continues the analysis.
“It’s not so easy to see. The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect.”
Esta técnica é diferente daquelas de ataques Magecart que utilizam websites de terceiros para carregar o skimmer.
A parte do script que captura os detalhes do cartão foi injetada no ficheiro “/wp-includes/rest-api/class-wp-rest-api.php”.
“As is typical in PHP malware, several layers of encoding and concatenation are employed in an attempt to avoid detection and hide its core code from the average webmaster,” continues the post.
Em detalhe, o malware recolhe os detalhes do pagamento e guarda os números dos cartões e os códigos de segurança CVV em texto sem formatação, na forma de cookie. O script usa a função file_put_contents para armazená-los em dois ficheiros de imagem separados (um arquivo .PNG e um JPEG) que são mantidos na diretoria wp-content/uploads.
No momento de análise do malware, estes dois ficheiros estavam vazio, o que sugero que o malware tem a capacidade de limpar os ficheiros para evitar a sua deteção.
“With WooCommerce recently overtaking all other ecommerce platforms in popularity it was only a matter of time before we started seeing attackers target this platform more frequently,” continues Security.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.