Apr 06, 2024NewsroomSkimmer / Threat Intelligence

Threat actors have been found exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites.

The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described by Adobe as a case of “improper neutralization of special elements” that could pave the way for arbitrary code execution.

It was addressed by the company as part of security updates released on February 13, 2024.

Sansec said it discovered a “cleverly crafted layout template in the database” that’s being used to automatically inject malicious code to execute arbitrary commands.

“Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands,” the company said.

“Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested.”

The command in question is sed, which is used to insert a code execution backdoor that’s then responsible for delivering a Stripe payment skimmer to capture and exfiltrate financial information to another compromised Magento store.

The development comes as the Russian government has charged six people for using skimmer malware to steal credit card and payment information from foreign e-commerce stores at least since late 2017.

The suspects are Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev. Recorded Future News reported that the arrests were made a year ago, citing court documents.

“As a result, members of the hacker group illegally took possession of information about almost 160 thousand payment cards of foreign citizens, after which they sold them through shadow internet sites,” the Prosecutor General’s Office of the Russian Federation said.

Dec 22, 2023NewsroomSkimming / Web Security

Threat hunters have discovered a rogue WordPress plugin that’s capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information.

The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.

“As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy,” security researcher Ben Martin said. “In this case, comments claim the code to be ‘WordPress Cache Addons.'”

Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site.

Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it’s automatically enabled and conceals its presence from the admin panel.

“Since the only way to remove any of the mu-plugins is by manually removing the file the malware goes out of its way to prevent this,” Martin explained. “The malware accomplishes this by unregistering callback functions for hooks that plugins like this normally use.”

The fraudulent plugin also comes with an optionF to create and hide an administrator user account from the legitimate website admin to avoid raising red flags and have sustained access to the target for extended periods of time.

The ultimate objective of the campaign is to inject credit card stealing malware in the checkout pages and exfiltrate the information to an actor-controlled domain.

“Since many WordPress infections occur from compromised wp-admin administrator users it only stands to reason that they’ve needed to work within the constraints of the access levels that they have, and installing plugins is certainly one of the key abilities that WordPress admins possess,” Martin said.

The disclosure arrives weeks after the WordPress security community warned of a phishing campaign that alerts users of an unrelated security flaw in the web content management system and tricks them into installing a plugin under the guise of a patch. The plugin, for its part, creates an admin user and deploys a web shell for persistent remote access.

Sucuri said that the threat actors behind the campaign are leveraging the “RESERVED” status associated with a CVE identifier, which happens when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details are yet to be filled.

It also comes as the website security firm discovered another Magecart campaign that uses the WebSocket communications protocol to insert the skimmer code on online storefronts. The malware then gets triggered upon clicking a fake “Complete Order” button that’s overlaid on top of the legitimate checkout button.

Europol’s spotlight report on online fraud released this week described digital skimming as a persistent threat that results in the theft, re-sale, and misuse of credit card data. “A major evolution in digital skimming is the shift from the use of front-end malware to back-end malware, making it more difficult to detect,” it said.

The E.U. law enforcement agency said it also notified 443 online merchants that their customers’ credit card or payment card data had been compromised via skimming attacks.

Group-IB, which also partnered with Europol on the cross-border cybercrime fighting operation codenamed Digital Skimming Action, said it detected and identified 23 families of JS-sniffers, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin, which were used against companies in 17 different countries across Europe and the Americas.

“In total, 132 JS-sniffer families are known, as of the end of 2023, to have compromised websites worldwide,” the Singapore-headquartered firm added.

That’s not all. Bogus ads on Google Search and Twitter for cryptocurrency platforms have been found to promote a cryptocurrency drainer named MS Drainer that’s estimated to have already plundered $58.98 million from 63,210 victims since March 2023 via a network of 10,072 phishing websites.

“By targeting specific audiences through Google search terms and the following base of X, they can select specific targets and launch continuous phishing campaigns at a very low cost,” ScamSniffer said.