A newly identified credit card web skimmer, known as Caesar Cipher Skimmer, is targeting multiple content management systems (CMS) including WordPress, Magento, and OpenCart. This type of malware is designed to infiltrate e-commerce sites to steal financial and payment information.
Sucuri reports that the skimmer modifies the checkout PHP file associated with the WooCommerce plugin for WordPress (“form-checkout.php”) to capture credit card details. The malware attempts to disguise itself by mimicking Google Analytics and Google Tag Manager, making the injected code less suspicious.
The Caesar Cipher Skimmer uses a substitution mechanism similar to the Caesar cipher to encode its malicious code into a garbled string, concealing the external domain that hosts the payload. The compromised websites appear to have been previously infiltrated, staging PHP scripts named “style.css” and “css.php” to mimic HTML style sheets and avoid detection.
1/ New “Caesar Cipher Skimmer” malware targets multiple e-commerce platforms. Security firm Sucuri reports 80+ infections in 2 weeks across WordPress, Magento, and OpenCart sites. Malware uses ancient cipher technique to obfuscate code, evading detection. pic.twitter.com/DsJCdwOtQO
— Pacific Security Labs (@pacificseclabs) June 26, 2024
These scripts load another obfuscated JavaScript code that creates a WebSocket connection to fetch the actual skimmer. The script sends the URL of the current web page to attackers, allowing them to send customized responses for each infected site. Some script versions even check if the user is logged into WordPress, modifying the response accordingly. Comments in Russian within the code suggest that Russian-speaking threat actors are behind the operation.
The form-checkout.php file in WooCommerce is not the only entry point. Attackers have also misused the legitimate WPCode plugin to inject the skimmer into the website database. For Magento sites, JavaScript injections occur in database tables such as core_config_data. The method of injection on OpenCart sites remains unknown.
🚨 Alert! Multiple CMS platforms including #WordPress, #Magento, and #OpenCart are under attack by a new credit card web skimmer dubbed Caesar Cipher Skimmer. Stay vigilant and protect your sites! 🔒 #CyberSecurity #WebSafety #EcommerceSecurity
— Blue Cloak (@blu3cloak) June 26, 2024
Given the widespread use of WordPress and its plugin ecosystem, these platforms present a lucrative target for attackers. Site owners are urged to keep their CMS software and plugins up-to-date, enforce strong password practices, and regularly audit for suspicious administrator accounts to mitigate these risks.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
