Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
Popular content management platforms — CMS) - such as WordPress, Magento, and OpenCart - have become the target of a new web-based credit card skimmer known as the" Caesar Cipher Skimmer".
Web skimmers themselves are malicious software that is embedded in e-commerce sites in order to steal financial and payment information.
According to a recent report from Sucuri, the attackers latest campaign involves making malicious changes to the PHP file associated with the WooCommerce plugin for WordPress. This file ("form-checkout.php") is used by hackers to steal credit card data.
"Over the past few months, injections have become less suspicious and no longer represent a long obfuscated script," said security researcher Ben Martin, pointing out attempts to disguise themselves as Google Analytics and Google Tag Manager.
The considered skimmer was so named because it uses the Caesar cipher to obfuscate malicious code, which the Roman general Gaius Julius Caesar used to encrypt texts when corresponding with his military leaders. The method involves shifting each letter of the alphabet by a fixed number of positions to the left or right.
In his web skimmer, the attacker encoded malicious code in an illegible string of text, and also disguised the external domain used to store the payload. It is assumed that all affected sites have already been compromised in other ways in order to host the PHP script under the names "style.css" and "css.php", simulating HTML styles and avoiding detection.
These scripts are designed to load other obfuscated JavaScript code that creates a WebSocket and connects to another server to get a real skimmer.
"The script sends the URL of current web pages, which allows attackers to send individual responses for each infected site," Martin said. "Some versions of the second layer of the script even check if it is uploaded by a WordPress user with administrator rights and change the response for it."
File "form-checkout.php" WooCommerce isn't the only way to deploy a skimmer. Attackers were also seen using a legitimate WPCode plugin to inject it into the site's database. In turn, on sites that use Magento, JavaScript injections are performed into database tables, such as"core_config_data". How infection occurs on OpenCart sites is still unknown.
Due to the widespread use of WordPress and its analogues, as well as a large number of plugins, CMS platforms have become an attractive target for attackers, providing them with easy access to the vast attacked surface. It is extremely important for site owners to update the CMS and plugins in a timely manner, monitor password security, and periodically conduct audits for suspicious administrator accounts.
• Source: https://blog.sucuri.net/2024/06/caesar-cipher-skimmer.html
Web skimmers themselves are malicious software that is embedded in e-commerce sites in order to steal financial and payment information.
According to a recent report from Sucuri, the attackers latest campaign involves making malicious changes to the PHP file associated with the WooCommerce plugin for WordPress. This file ("form-checkout.php") is used by hackers to steal credit card data.
"Over the past few months, injections have become less suspicious and no longer represent a long obfuscated script," said security researcher Ben Martin, pointing out attempts to disguise themselves as Google Analytics and Google Tag Manager.
The considered skimmer was so named because it uses the Caesar cipher to obfuscate malicious code, which the Roman general Gaius Julius Caesar used to encrypt texts when corresponding with his military leaders. The method involves shifting each letter of the alphabet by a fixed number of positions to the left or right.
In his web skimmer, the attacker encoded malicious code in an illegible string of text, and also disguised the external domain used to store the payload. It is assumed that all affected sites have already been compromised in other ways in order to host the PHP script under the names "style.css" and "css.php", simulating HTML styles and avoiding detection.
These scripts are designed to load other obfuscated JavaScript code that creates a WebSocket and connects to another server to get a real skimmer.
"The script sends the URL of current web pages, which allows attackers to send individual responses for each infected site," Martin said. "Some versions of the second layer of the script even check if it is uploaded by a WordPress user with administrator rights and change the response for it."
File "form-checkout.php" WooCommerce isn't the only way to deploy a skimmer. Attackers were also seen using a legitimate WPCode plugin to inject it into the site's database. In turn, on sites that use Magento, JavaScript injections are performed into database tables, such as"core_config_data". How infection occurs on OpenCart sites is still unknown.
Due to the widespread use of WordPress and its analogues, as well as a large number of plugins, CMS platforms have become an attractive target for attackers, providing them with easy access to the vast attacked surface. It is extremely important for site owners to update the CMS and plugins in a timely manner, monitor password security, and periodically conduct audits for suspicious administrator accounts.
• Source: https://blog.sucuri.net/2024/06/caesar-cipher-skimmer.html
