BTC $51740.4000
ETH $3112.6552
BNB $388.4861
SOL $103.4699
XRP $0.5425
ADA $0.5914
AVAX $37.4726
TRX $0.1377
DOGE $0.0861
wstETH $3608.1939
LINK $18.7122
DOT $7.9253
WETH $3099.5051
UNI $11.0991
MATIC $0.9984
WBTC $51892.2111
IMX $3.2035
ICP $12.4694
LTC $70.1056
BCH $267.9077
CAKE $3.1362
FIL $8.1161
ETC $27.2027
KAS $0.1709
RNDR $7.2125
DAI $1.0003
HBAR $0.1094
ATOM $10.3766
INJ $35.7526
TON $2.0791
OKB $50.2401
VET $0.0451
FDUSD $1.0003
LDO $3.3874
GRT $0.2891
ARB $1.9019
STX $2.5976
XMR $129.3498
TIA $16.7710
XLM $0.1165
ENS $22.8347
NEAR $3.7109
APEX $2.4753
WEMIX $2.0914
MKR $2051.3393
RETH $3421.4719
ALGO $0.2075
BTC $51740.4000
ETH $3112.6552
BNB $388.4861
SOL $103.4699
XRP $0.5425
ADA $0.5914
AVAX $37.4726
TRX $0.1377
DOGE $0.0861
wstETH $3608.1939
LINK $18.7122
DOT $7.9253
WETH $3099.5051
UNI $11.0991
MATIC $0.9984
WBTC $51892.2111
IMX $3.2035
ICP $12.4694
LTC $70.1056
BCH $267.9077
CAKE $3.1362
FIL $8.1161
ETC $27.2027
KAS $0.1709
RNDR $7.2125
DAI $1.0003
HBAR $0.1094
ATOM $10.3766
INJ $35.7526
TON $2.0791
OKB $50.2401
VET $0.0451
FDUSD $1.0003
LDO $3.3874
GRT $0.2891
ARB $1.9019
STX $2.5976
XMR $129.3498
TIA $16.7710
XLM $0.1165
ENS $22.8347
NEAR $3.7109
APEX $2.4753
WEMIX $2.0914
MKR $2051.3393
RETH $3421.4719
ALGO $0.2075
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • MageCart hackers inject skimmers into payment processing modules of WordPress online stores

    The MageCart group's new campaign to steal credit card data hides malicious code inside the "Authorize.net" payment gateway module for the WooCommcerce plugin, allowing hackers to evade detection. This was reported by website security experts from Sucuri.

    When cybercriminals hack a Magenta or WordPress-based commerce site running a WooCommerce online store platform, they inject malicious JavaScript into the HTML code of the store or checkout pages. Then the scripts steal the data of the entered card, address, phone number and email address of the buyer.

    Many online stores now use HTML code scanners to find malicious scripts. Attackers are now injecting malicious scripts directly into the site's payment gateway modules used to process credit card payments at checkout to avoid detection. Because these extensions are typically called only after the user has entered their credit card information and made a payment in a store, they are harder to detect with security tools.

    To accept credit cards on the site, the stores use the payment processing system "Authorize.net", which is used by about 440,000 stores worldwide. On the compromised site, the cybercriminals changed one of the Authorize.net files that support the integration of the payment gateway into the WooCommerce environment.

    The code injected at the end of the file checks if the body of the HTTP request contains the string "wc-authorize-net-cim-credit-card-account-number". The presence of this string means that the HTTP request contains payment data that is sent after the user checks out from the cart.

    The code then generates a random password, encrypts the victim's payment details with AES-128-CBC, and stores them in an image file that is later sent to the hackers.

    Next, the cybercriminals inject code into the Authorize.net file "wc-authorize-net-cim.min.js". The injected code intercepts additional payment details from input form elements on the infected site, including the victim's name, delivery address, phone number, and postal code.

    Another notable aspect of this campaign is the stealth of the skimmer.

    • malicious code is embedded in the legitimate files of the payment gateway, so regular scans of the site's HTML code do not detect malicious code;
    • encryption of stolen payment data helps to avoid detection;
    • misuse of WordPress' Heartbeat API to mimic normal traffic and mix it with victims' payment data during exfiltration helps hackers evade detection by security tools that track unauthorized data exfiltration.

    As members of the MageCart group improve their tactics and increase the number of attacks on WooCommerce and WordPress sites, it is important for site owners and administrators to remain vigilant and apply strong security measures.

    Author DeepWeb
    Uniswap is under attack: Sandwich method led to a leak of $ 25.2 million in assets
    New OpcJacker malware targets cryptocurrency and privacy

    Comments 0

    Add comment