BTC $63442.8276
ETH $3469.7477
BNB $414.4838
SOL $128.8578
XRP $0.6333
ADA $0.7553
DOGE $0.1556
AVAX $42.2817
DOT $9.6926
wstETH $4022.3454
TRX $0.1396
LINK $20.2249
WETH $3455.5461
MATIC $1.0912
UNI $12.3248
WBTC $63402.0644
BCH $454.1971
LTC $89.7149
IMX $3.2697
ICP $13.1197
FIL $10.0810
CAKE $3.2889
ETC $33.3804
LEO $4.7626
ATOM $12.4298
RNDR $7.5236
TON $2.6714
KAS $0.1683
HBAR $0.1120
INJ $39.9268
DAI $0.9998
OKB $57.5556
VET $0.0485
STX $3.0863
FDUSD $0.9998
WEMIX $2.8006
XLM $0.1364
NEAR $4.5218
PEPE $0.0000
XMR $146.1340
LDO $3.3155
GRT $0.3143
ARB $1.9894
THETA $2.3291
TIA $15.9776
ENS $21.4774
CRO $0.1387
BTC $63442.8276
ETH $3469.7477
BNB $414.4838
SOL $128.8578
XRP $0.6333
ADA $0.7553
DOGE $0.1556
AVAX $42.2817
DOT $9.6926
wstETH $4022.3454
TRX $0.1396
LINK $20.2249
WETH $3455.5461
MATIC $1.0912
UNI $12.3248
WBTC $63402.0644
BCH $454.1971
LTC $89.7149
IMX $3.2697
ICP $13.1197
FIL $10.0810
CAKE $3.2889
ETC $33.3804
LEO $4.7626
ATOM $12.4298
RNDR $7.5236
TON $2.6714
KAS $0.1683
HBAR $0.1120
INJ $39.9268
DAI $0.9998
OKB $57.5556
VET $0.0485
STX $3.0863
FDUSD $0.9998
WEMIX $2.8006
XLM $0.1364
NEAR $4.5218
PEPE $0.0000
XMR $146.1340
LDO $3.3155
GRT $0.3143
ARB $1.9894
THETA $2.3291
TIA $15.9776
ENS $21.4774
CRO $0.1387
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • MageCart hackers inject skimmers into payment processing modules of WordPress online stores

    The MageCart group's new campaign to steal credit card data hides malicious code inside the "Authorize.net" payment gateway module for the WooCommcerce plugin, allowing hackers to evade detection. This was reported by website security experts from Sucuri.

    When cybercriminals hack a Magenta or WordPress-based commerce site running a WooCommerce online store platform, they inject malicious JavaScript into the HTML code of the store or checkout pages. Then the scripts steal the data of the entered card, address, phone number and email address of the buyer.

    Many online stores now use HTML code scanners to find malicious scripts. Attackers are now injecting malicious scripts directly into the site's payment gateway modules used to process credit card payments at checkout to avoid detection. Because these extensions are typically called only after the user has entered their credit card information and made a payment in a store, they are harder to detect with security tools.

    To accept credit cards on the site, the stores use the payment processing system "Authorize.net", which is used by about 440,000 stores worldwide. On the compromised site, the cybercriminals changed one of the Authorize.net files that support the integration of the payment gateway into the WooCommerce environment.

    The code injected at the end of the file checks if the body of the HTTP request contains the string "wc-authorize-net-cim-credit-card-account-number". The presence of this string means that the HTTP request contains payment data that is sent after the user checks out from the cart.

    The code then generates a random password, encrypts the victim's payment details with AES-128-CBC, and stores them in an image file that is later sent to the hackers.

    Next, the cybercriminals inject code into the Authorize.net file "wc-authorize-net-cim.min.js". The injected code intercepts additional payment details from input form elements on the infected site, including the victim's name, delivery address, phone number, and postal code.

    Another notable aspect of this campaign is the stealth of the skimmer.

    • malicious code is embedded in the legitimate files of the payment gateway, so regular scans of the site's HTML code do not detect malicious code;
    • encryption of stolen payment data helps to avoid detection;
    • misuse of WordPress' Heartbeat API to mimic normal traffic and mix it with victims' payment data during exfiltration helps hackers evade detection by security tools that track unauthorized data exfiltration.

    As members of the MageCart group improve their tactics and increase the number of attacks on WooCommerce and WordPress sites, it is important for site owners and administrators to remain vigilant and apply strong security measures.

    Author DeepWeb
    Uniswap is under attack: Sandwich method led to a leak of $ 25.2 million in assets
    New OpcJacker malware targets cryptocurrency and privacy

    Comments 0

    Add comment