The IT Nerd

As reported by Sucuri, a new stealthy, credit card skimming campaign is evading security scan detections by hiding their malicious code inside WooCommcerce’s Authorize.net payment gateway module making it particularly hard to find and uproot, leading to extended periods of data exfiltration. WooCommerce is used by roughly 40% of all online stores.

The previous strategy of injecting malicious JavaScript into the HTML of the checkout pages became too easy to detect by security software. Innovative threat actors are now injecting malicious scripts directly into the site’s Authorize.net payment gateway modules used to process the credit card payments. When successful, the code generates a random password, encrypts the victim’s payment details, and stores it in an image file for attackers to retrieve.

This innovative extension is harder to detect than traditional skimming methods for a few reasons:

• Malicious scripts are called after a user submits their credit card details and checks out 
• Regular inspections that scan a website wouldn’t yield any results as code was injected in legitimate payment gateway files
• Threat actors manipulate WordPress’s Heartbeat API to mimic regular traffic and blend it with the victims’ payment data during exfiltration
• Instead of plaintext to transfer details, image files have stronger encryption

Baber Amin, COO, Veridium:

   “Security measures offered by EMV and contactless cards are compromised when a user enters their credit card information during an online checkout. Additionally, this process exposes a user’s identity information, e.g. email addresses, shipping addresses, and possibly passwords.

To ensure a safe online shopping experience, it is crucial for website administrators to regularly update their content management systems and plugins. 

For merchants and consumer both, Consider the following measures for increased security.

• Use of virtual cards for online shopping
• Use of services like PayPal, and amazon pay for online shopping and checkout for an additional layer of payment protection.
• Adoption of payment services like Apple Pay or Google Pay, which employ tokenization to safeguard sensitive information. These services offer a more secure and convenient experience, both in-person and online. Tokens, which are generated for each transaction, cannot be reused if stolen. This approach overcomes the limitations of EMV cards, which lack chip readers for online payments.
• And lastly look for embedded finance vendors that can combine biometrics with tokenized payments to eliminate both credit card and identity data from ever getting to the payment gateway.”

This is all good advice that we all need to follow when we shop online as the threats related to online shopping are increasing every single day.

UPDATE: Rui Ribeiro, CEO and Cofounder, Jscrambler added this comment:

     “This attack highlights an often-overlooked security issue: companies must protect the client-side experience from the moment the visitor is on the site to the moment they leave. In this case, the hacker injected malicious code directly into the payment module, collecting sensitive data. This incident underscores how important it is for security teams to know about all the third-party JavaScript running on their website, what data it is accessing, and when. Not only is the customer experience tainted, but the compromised websites can face issues around data privacy, loss of revenue and reputation. New regulations under PCI DSS v4 will require companies to monitor this type of activity on payment pages. To do that, they will need visibility and control over the JavaScript that’s loaded into their web pages, whatever the source, every time. Whether it’s a hijacking attack, data skimming or a simple configuration error, we must protect each visitor interaction.”

This entry was posted on March 24, 2023 at 9:00 am and is filed under Commentary with tags Sucuri. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.