Apr 12, 2024NewsroomWeb Security / WordPress

Cybersecurity researchers have discovered a credit card skimmer that’s concealed within a fake Meta Pixel tracker script in an attempt to evade detection.

Sucuri said that the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like Simple Custom CSS and JS or the “Miscellaneous Scripts” section of the Magento admin panel.

“Custom script editors are popular with bad actors because they allow for external third party (and malicious) JavaScript and can easily pretend to be benign by leveraging naming conventions that match popular scripts like Google Analytics or libraries like JQuery,” security researcher Matt Morrow said.

The bogus Meta Pixel tracker script identified by the web security company contains similar elements as its legitimate counterpart, but a closer examination reveals the addition of JavaScript code that substitutes references to the domain “connect.facebook[.]net” with “b-connected[.]com.”

While the former is a genuine domain linked to the Pixel tracking functionality, the replacement domain is used to load an additional malicious script (“fbevents.js”) that monitors if a victim is on a checkout page, and if so, serves a fraudulent overlay to grab their credit card details.

It’s worth noting that “b-connected[.]com” is a legitimate e-commerce website that has been compromised at some point to host the skimmer code. What’s more, the information entered into the fake form is exfiltrated to another compromised site (“www.donjuguetes[.]es”).

To mitigate such risks, it’s recommended to keep the sites up-to-date, periodically review admin accounts to determine if all of them are valid, and update passwords on a frequent basis.

This is particularly important as threat actors are known to leverage weak passwords and flaws in WordPress plugins to gain elevated access to a target site and add rogue admin users, which are then used to perform various other activities, including adding additional plugins and backdoors.

“Because credit card stealers often wait for keywords such as ‘checkout’ or ‘onepage,’ they may not become visible until the checkout page has loaded,” Morrow said.

“Since most checkout pages are dynamically generated based on cookie data and other variables passed to the page, these scripts evade public scanners and the only way to identify the malware is to check the page source or watch network traffic. These scripts run silently in the background.”

The development comes as Sucuri also revealed that sites built with WordPress and Magento are the target of another malware called Magento Shoplift. Earlier variants of Magento Shoplift have been detected in the wild since September 2023.

The attack chain starts with injecting an obfuscated JavaScript snippet into a legitimate JavScript file that’s responsible for loading a second script from jqueurystatics[.]com via WebSocket Secure (WSS), which, in turn, is designed to facilitate credit card skimming and data theft while masquerading as a Google Analytics script.

“WordPress has become a massive player in e-commerce as well, thanks to the adoption of Woocommerce and other plugins that can easily turn a WordPress site into a fully-featured online store,” researcher Puja Srivastava said.

“This popularity also makes WordPress stores a prime target — and attackers are modifying their MageCart e-commerce malware to target a wider range of CMS platforms.”

Dec 16, 2023NewsroomOnline Security / Cybercrime

Microsoft is warning of an uptick in malicious activity from an emerging threat cluster it’s tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season.

The goal of the attacks is to propagate booby-trapped links that direct victims to adversary-in-the-middle (AiTM) phishing pages that are capable of harvesting their credentials and session tokens.

“After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity,” the tech giant said in a series of posts on X (formerly Twitter).

The foothold obtained in this manner further acts as a conduit for escalating privileges, moving laterally across the network, and accessing cloud resources in order to grab sensitive information, specifically going after gift card-related services to facilitate fraud.

On top of that, Storm-0539 collects emails, contact lists, and network configurations for follow-on attacks against the same organizations, necessitating the need for robust credential hygiene practices.

Redmond, in its monthly Microsoft 365 Defender report published last month, described the adversary as a financially motivated group that has been active since at least 2021.

“Storm-0539 carries out extensive reconnaissance of targeted organizations in order to craft convincing phishing lures and steal user credentials and tokens for initial access,” it said.

“The actor is well-versed in cloud providers and leverages resources from the target organization’s cloud services for post-compromise activities.”

The disclosure comes days after the company said it obtained a court order to seize the infrastructure of a Vietnamese cybercriminal group called Storm-1152 that sold access to approximately 750 million fraudulent Microsoft accounts as well as identity verification bypass tools for other technology platforms.

Earlier this week, Microsoft also warned that multiple threat actors are abusing OAuth applications to automate financially motivated cyber crimes, such as business email compromise (BEC), phishing, large-scale spamming campaigns, and deploy virtual machines to illicitly mine for cryptocurrencies.

Dec 22, 2023NewsroomSkimming / Web Security

Threat hunters have discovered a rogue WordPress plugin that’s capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information.

The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.

“As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy,” security researcher Ben Martin said. “In this case, comments claim the code to be ‘WordPress Cache Addons.'”

Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site.

Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it’s automatically enabled and conceals its presence from the admin panel.

“Since the only way to remove any of the mu-plugins is by manually removing the file the malware goes out of its way to prevent this,” Martin explained. “The malware accomplishes this by unregistering callback functions for hooks that plugins like this normally use.”

The fraudulent plugin also comes with an optionF to create and hide an administrator user account from the legitimate website admin to avoid raising red flags and have sustained access to the target for extended periods of time.

The ultimate objective of the campaign is to inject credit card stealing malware in the checkout pages and exfiltrate the information to an actor-controlled domain.

“Since many WordPress infections occur from compromised wp-admin administrator users it only stands to reason that they’ve needed to work within the constraints of the access levels that they have, and installing plugins is certainly one of the key abilities that WordPress admins possess,” Martin said.

The disclosure arrives weeks after the WordPress security community warned of a phishing campaign that alerts users of an unrelated security flaw in the web content management system and tricks them into installing a plugin under the guise of a patch. The plugin, for its part, creates an admin user and deploys a web shell for persistent remote access.

Sucuri said that the threat actors behind the campaign are leveraging the “RESERVED” status associated with a CVE identifier, which happens when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details are yet to be filled.

It also comes as the website security firm discovered another Magecart campaign that uses the WebSocket communications protocol to insert the skimmer code on online storefronts. The malware then gets triggered upon clicking a fake “Complete Order” button that’s overlaid on top of the legitimate checkout button.

Europol’s spotlight report on online fraud released this week described digital skimming as a persistent threat that results in the theft, re-sale, and misuse of credit card data. “A major evolution in digital skimming is the shift from the use of front-end malware to back-end malware, making it more difficult to detect,” it said.

The E.U. law enforcement agency said it also notified 443 online merchants that their customers’ credit card or payment card data had been compromised via skimming attacks.

Group-IB, which also partnered with Europol on the cross-border cybercrime fighting operation codenamed Digital Skimming Action, said it detected and identified 23 families of JS-sniffers, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin, which were used against companies in 17 different countries across Europe and the Americas.

“In total, 132 JS-sniffer families are known, as of the end of 2023, to have compromised websites worldwide,” the Singapore-headquartered firm added.

That’s not all. Bogus ads on Google Search and Twitter for cryptocurrency platforms have been found to promote a cryptocurrency drainer named MS Drainer that’s estimated to have already plundered $58.98 million from 63,210 victims since March 2023 via a network of 10,072 phishing websites.

“By targeting specific audiences through Google search terms and the following base of X, they can select specific targets and launch continuous phishing campaigns at a very low cost,” ScamSniffer said.