The MageCart group’s new campaign to steal credit card data hides malicious code inside the “Authorize.net” payment gateway module for the WooCommcerce plugin, allowing hackers to evade detection. About it reported website security experts from Sucuri.

When attackers hijack a Magenta or WordPress-based commerce site running a WooCommerce online store platform, they inject malicious JavaScript code into the HTML code of the store or checkout pages. Then the scripts steal the data of the entered card, address, phone number and email address of the buyer.

Many online stores now use HTML code scanners to find malicious scripts. Attackers are now injecting malicious scripts directly into the site’s payment gateway modules used to process credit card payments at checkout to avoid detection. Because these extensions are typically called only after the user has entered their credit card information and made a payment in a store, they are harder to detect with security tools.

To accept credit cards on the site, the stores use the payment processing system “Authorize.net”, which is used by about 440,000 stores worldwide. On the compromised site, the cybercriminals changed one of the Authorize.net files that support the integration of the payment gateway into the WooCommerce environment.

The code injected at the end of the file checks if the body of the HTTP request contains the string “wc-authorize-net-cim-credit-card-account-number”. The presence of this string means that the HTTP request contains payment data that is sent after the user checks out from the cart.

The code then generates a random password, encrypts the victim’s payment details with AES-128-CBC, and stores them in an image file that is later sent to the hackers.

Next, the cybercriminals inject code into the Authorize.net file “wc-authorize-net-cim.min.js”. The injected code intercepts additional payment details from input form elements on the infected site, including the victim’s name, delivery address, phone number, and postal code.

Evasion of detection

Another notable aspect of this campaign is the stealth of the skimmer.

• malicious code is embedded in the legitimate files of the payment gateway, so regular scans of the site’s HTML code do not detect malicious code;
• encryption of stolen payment data helps to avoid detection;
• Misusing the WordPress Heartbeat API to mimic normal traffic and mix it with victims’ payment data during exfiltration helps hackers avoid detection by security tools that track unauthorized data exfiltration.

As members of the MageCart group improve their tactics and increase the number of attacks on WooCommerce and WordPress sites, it is important for site owners and administrators to remain vigilant and implement strong security measures.