New Skimmer Malware Attacking E-commerce WebSites

/in


Researchers identified a new variant of credit card skimming attack, the Caesar Cipher Skimmer, targeting multiple content management systems (CMS), including WordPress, Magento, and OpenCart. 

The skimmer specifically targets the checkout process, injecting malicious code into the checkout PHP file, as the attack leverages obfuscated strings and a Caesar Cipher technique to hide its malicious payload, which is a significant finding as it’s uncommon for new skimmers to be deployed across various platforms simultaneously.  

SiteCheck website malware detection for credit card skimmer infection.

A client reported credit card theft on their WooCommerce checkout page, where an investigation revealed malware injected into the form-checkout.php script, a common target in 2023, according to a recent threat report, which plays a vital role in WooCommerce checkout, making it an effective way for attackers to steal credit card information. 

In recent gtag skimmer injections, attackers are using a Caesar Cipher technique to obfuscate malicious code, which involves splitting the code string into individual characters, reversing the order, and then subtracting a specific value (e.g., 3) from each character’s unicode value. 

Splits the string into individual characters

The altered character codes are converted back to characters and rejoined into a string, which makes the script appear less suspicious at first glance, but the use of String.fromCharCode and the presence of jumbled characters can still be red flags for security experts. 

The provided obfuscated strings are first joined and separated into individual characters, which are then reversed, while Unicode, a character encoding standard, assigns a numerical value to each character. 

Then, the str_rot13 function uses the Caesar Cipher, a straightforward encryption method that shifts each character’s value by a fixed amount. 

Malware authors are using the Caesar Cipher technique to obfuscate the malicious payload domain by subtracting the value of 3 from each Unicode character of the domain URL, which makes it difficult to detect the malicious domain antivirus software and security vendors. 

The malware then connects to…

Source…