HQ/EMEAFind out how we can help your business
Hackers have a new cybercriminal operation that injects credit card stealers into payment processing modules. The new credit card campaign has been obfuscating its malicious code within the Authorize[.]net payment gateway module, enabling the actors to bypass detection from security scans.
Numerous online merchants now adopt security software solutions that can scan the HTML of public-facing e-commerce websites to look for malicious scripts. Hence, threat actors have been in a tight spot recently.
Hackers have injected their credit card stealers into their target’s payment gateway.
The threat actors devised a new strategy to inject credit card stealers directly into their targeted website’s module to bypass security detection. Users utilise these modules to process credit card payments during checkout.
Cybersecurity solutions will have difficulty detecting these threats as the extensions commonly appear after users submit their credit card details and check out.
Researchers discovered this new campaign after investigating an unusual infection chain on one compromised system.
Many threat groups have targeted E-commerce websites since they could gather profit in a more direct attack. WooCommerce, one of WordPress’s most popular e-commerce platforms, currently holds 40% of all online stores.
Therefore, hackers have targeted this platform since many stores accept credit cards on these websites.
The researchers discovered that the attackers altered the “class-wc-authorize-net-cim.php” file, one of Authorize.net’s files, on the infected device since it is the feature that supports the payment gateway’s integration.
The code injected by the hackers at the last part of the file reviews if the HTTP request body includes the “wc-authorize-net-cim-credit-card-account-number” string, meaning it stores payment card data after a user checks out their cart on the online store.
If the store contains payment card data, the code will create a random password, encrypts the victim’s payment information, and stores it in an image document that the hackers could later recover.
E-commerce stores and users should always be wary since threat actors constantly look for new ways to infect targets and execute malicious attacks.
