Malicious PyPI Package Targets E-commerce Sites with Automated Carding Script
Cybersecurity researchers from Socket have exposed a malicious Python package on PyPI, named disgrasya, designed to automate credit card fraud on WooCommerce-based e-commerce sites.
Unlike conventional supply chain attacks that rely on deception or typosquatting, disgrasya was overtly malicious, leveraging PyPI as a distribution platform to reach a broad audience of fraudsters.
The package specifically targets merchants using WooCommerce with CyberSource as their payment gateway.
Automated Carding: A Growing Cybercrime Threat
Carding attacks involve testing stolen credit card details to determine their validity.
Fraudsters typically acquire these details from dark web marketplaces, leaked databases, or underground forums.
Tools like disgrasya streamline this process by simulating legitimate transactions on e-commerce platforms.
According to the Report, these scripts tokenize card data and submit it to payment gateways, enabling attackers to verify whether the cards are active without triggering fraud detection mechanisms.
The economic impact of such attacks is staggering. According to Juniper Research, global online payment fraud is projected to cost businesses over $362 billion between 2023 and 2028.
Carding attacks represent a significant portion of this loss, with annual damages expected to nearly double from $38 billion in 2023 to $91 billion by 2028.
Technical Breakdown of the Attack
The disgrasya package employs a multi-step attack process that mimics legitimate user behavior:
- Product Identification: The script begins by extracting a product ID from the targeted WooCommerce store through a GET request.
- Cart Manipulation: It then adds the identified product to the cart using WooCommerce’s AJAX API.
- Token Harvesting: The script navigates to the checkout page to extract critical security tokens, including the CSRF nonce and CyberSource’s
capture_context, which are essential for processing payments. - Card Validation: Using stolen credit card details, the script submits tokenized payment data via WooCommerce’s checkout endpoint. If successful, this confirms the card’s validity.
What makes disgrasya particularly dangerous is its ability to blend into normal traffic patterns.
By emulating real user actions such as navigating product pages and adding items to carts it avoids detection by traditional fraud prevention systems.
At the time of its discovery, disgrasya had been downloaded over 34,000 times.
Its malicious payload was introduced in version 7.36.9 and persisted in all subsequent versions.
The package’s name, derived from Filipino slang meaning “disaster,” aptly describes its devastating impact on e-commerce security.
The script also exfiltrates sensitive credit card data to an external server controlled by the attacker (railgunmisaka[.]com).
This data is then tokenized and used for further fraudulent activities, bypassing most fraud detection systems.
To counter such threats, WooCommerce merchants are advised to implement robust security measures:
- Enable fraud protection rules, such as blocking low-value transactions often used in carding attacks.
- Monitor for suspicious patterns like high failure rates or multiple small orders from a single IP address.
- Employ CAPTCHA or bot protection during checkout processes.
- Rate-limit checkout and payment endpoints to reduce automated abuse.
Though disgrasya has been removed from PyPI, the broader technique remains viable. Attackers can easily republish similar scripts under new names or host them on alternative platforms.
The discovery of disgrasya highlights the evolving sophistication of cybercriminals targeting e-commerce platforms.
By leveraging automation and stealth tactics, attackers are lowering the barriers for entry into high-impact fraud campaigns.
Vigilant monitoring and layered security defenses are essential for merchants to safeguard their operations against such threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
