The attacks target the Authorize.net payment gateway on WordPress sites using the WooCommerce plugin, according to a March 21 blog post from web security company Sucuri. Authorize.net is used by over 430,000 merchants. Card skimming attacks such as this one are called Magecart attacks. Typically, hackers inject malicious code directly into a website’s HTML or checkout pages to pilfer payment data. Companies such as Emma Sleep Company, See Tickets, and Nutribullet have fallen victim to this type of attack in recent years. However, Sucuri has noted the attack in question is more sophisticated than traditional Magecart campaigns. The company began its analysis of the attack after one of its clients’ websites fell victim.
New Attack Encrypts Skimmed Data
After analyzing its client’s website, Sucuri found a suspicious line of code indicating a malicious injection. Upon further study, they found several interesting elements to siphon information and evade detection. For starters, the code saves the stolen card data as an encrypted .jpg file, with a randomly assigned password using an AES-128 CBC block cipher. Usually, Magecart malware dumps its haul as plain text or as simple base64 encoded data. The code also contains a string to filter data other than card information. “The fact that they have included some additional steps to encrypt the data with both a key file and a randomly generated string indicates that they’re ensuring that only the attackers responsible for the injection are able to pilfer the details and sell them on the black market,” Sucuri stated. “Moreover, this would stymie efforts by fraud prevention officers or law enforcement to further investigate the theft,” the blog post reads.
Attackers Steal Personal Info to Create More Valuable Dark Web Datasets
Sucuri also found another malicious file that allows the attacker to steal more information, such as names, addresses, phone numbers, and postal codes. This makes the dataset more valuable when it is sold on the dark web. This file also emulates a WordPress API called Heartbeat, which maintains constant communication between the website and the server. By mimicking the Heartbeat API, the attacker avoids triggering safety measures in place that would otherwise prevent such data exfiltration. This allows the malicious activity to remain undetected. Sucuri stated that this attack is a reminder to website operators to stay on the lookout for threats and to enable strong and dynamic security measures. If you’re worried about credit card fraud, we recommend reading up on phishing, identity theft, and dark web monitoring. These articles contain useful information on how you can improve your security. You will also learn how to minimize the damage caused by your data falling into the wrong hands.
