A recently discovered malicious Python package on the Python Package Index (PyPI) named “disgrasya” has been found to contain a fully automated carding script targeting WooCommerce stores.
Unlike typical supply chain attacks that attempt to deceive users, “disgrasya” made no attempt to appear legitimate. As the Socket research team notes, “it was openly malicious, abusing PyPl as a distribution channel to reach a wider audience of fraudsters“. The malicious script specifically targets WooCommerce stores using the CyberSource payment gateway.
Carding attacks involve fraudsters testing stolen credit card numbers to determine their validity. Attackers acquire card data from various sources, including dark web marketplaces, Telegram channels, and leaked databases. Automated carding tools, like “disgrasya,” are used to simulate real transactions and verify which stolen cards are still active. Valid cards are then considered more valuable in the black market.
Carding attacks pose a significant threat to online businesses. Juniper Research estimates that online payment fraud, including carding, will cost businesses over $362 billion globally between 2023 and 2028. These attacks are difficult to detect because they mimic legitimate customer behavior.
The “disgrasya” package is particularly alarming due to its widespread use. It was downloaded more than 34,860 times. The malicious payload was introduced in version 7.36.9 and persisted in subsequent versions.
The term “disgrasya” is Filipino slang for “disaster” or “accident,” which aptly describes the package’s functionality. The script automates a series of steps to mimic a legitimate shopper’s transaction, allowing attackers to test stolen credit cards against real checkout systems without triggering fraud detection.
Here’s a breakdown of the attack logic:
- Extract Product ID: The script extracts a product ID from the target WooCommerce store’s product listing page.
- Add Product to Cart: The script adds a product to the cart via an AJAX request, simulating a legitimate shopper’s action.
- Extract Checkout Tokens: The script retrieves the CSRF nonce (“woocommerce-process-checkout-nonce”) and CyberSource “capture_context” from the checkout page’s HTML.
- Simulate Checkout and Exfiltrate Data: The script submits a final POST request to the WooCommerce AJAX checkout endpoint with randomized billing details and stolen card data. The script exfiltrates stolen credit card data (card number, expiration date, and CVV) along with the “capture_context” to an external server controlled by the attacker.
The “disgrasya” package is dangerous because its actions are designed to be indistinguishable from legitimate user behavior. As the report states, “Every action it performs is indistinguishable from what a normal user might do“.
The report emphasizes that this threat targets online merchants, particularly those using WooCommerce with CyberSource. To mitigate the risk, merchants are advised to:
- Enable fraud protection rules.
- Monitor for suspicious patterns.
- Adjust fraud protection rules dynamically.
- Enable CAPTCHA or bot protection.
- Implement rate limiting.
While the “disgrasya” package has been removed from PyPI, the underlying techniques remain a threat. The report concludes that “vigilant monitoring and layered defenses at the checkout level are key to preventing fraud and minimizing exposure“.
Related Posts:
- Credit Card Skimmer Malware Uncovered: Targeting Magento Checkout Pages
- Hackers are Exploiting Critical Security Vulnerability in WooCommerce Payments Plugin
- Stealthy Malware Hides in WordPress Database, Steals Payment Data
- Cybercriminals Exploit Swap Files: New E-commerce Skimming Tactic
- PyPI Poisoned: 116 Malicious Packages Target Windows and Linux
