A new report from Sucuri reveals the increasingly sophisticated tactics employed by cybercriminals targeting e-commerce websites. In a recent incident, Sucuri uncovered a complex malware infection on a WordPress site, featuring a credit card skimmer, a hidden backdoor file manager, and a malicious reconnaissance script.
The attack, specifically designed for WordPress WooCommerce websites, demonstrates a clear focus on e-commerce platforms. “The combination of credit card skimming and remote file management suggests a multifaceted attack aimed at both financial gain and long-term control,” the report states.
The infection involved three distinct malicious components:
-
A heavily obfuscated JavaScript credit card skimmer injected into the checkout page.
-
A hidden PHP file manager backdoor disguised as a WordPress core file.
-
An information-gathering reconnaissance script placed in a location typically used for WordPress core files.
The credit card skimmer was designed to steal customer payment information during the checkout process. The code was heavily obfuscated to avoid detection and included anti-debugging measures. “The most revealing part of the code is the data exfiltration mechanism,” which involves collecting credit card data and billing information, encoding it, and sending it to the attacker’s server disguised as an image request.
The hidden PHP file manager backdoor provided attackers with extensive control over the compromised website. “One of the most dangerous files we found was a PHP shell, which might have allowed attackers to run system commands remotely,” the report emphasizes. This backdoor implemented features such as cookie-based authentication, complete filesystem access, directory traversal, and timestamp manipulation.
The reconnaissance script was used to verify the infection and gather information about the WordPress installation. “This allowed the attackers to monitor their presence and the site’s status,” the report explains.
Sucuri’s investigation revealed that the malware was communicating with malicious IPs (104.194.151.47 and 185.247.224.241) and domains (imageresizefix[.]com and imageinthebox[.]com), which have now been blocklisted by Sucuri.
The report indicates that the attack was likely carried out by a financially-motivated cybercriminal group with objectives including:
-
Financial gain through harvesting credit card data.
-
Persistent access to the server for ongoing exploitation.
-
Using the compromised server as a platform for further attacks.
The potential impact of such malware attacks is severe, including:
-
Financial loss for businesses and customers.
-
Reputational damage.
-
Potential PCI compliance violations.
-
Loss of control over the website.
-
SEO damage.
Related Posts:
- Hidden Skimmers, Web Whispers: New JavaScript Theft Tricks
- Cybercriminals Exploit Swap Files: New E-commerce Skimming Tactic
- Stealthy Malware Campaign Switches Tactics, Targets WordPress Sites
- Stealthy Malware Hides in WordPress Database, Steals Payment Data
- Attackers Exploit Obscure WordPress Plugin to Steal Credit Card Data
