Cybersecurity researchers have found a bank card skimmer that is hid inside a faux Meta Pixel tracker script in an try and evade detection.
Sucuri stated that the malware is injected into web sites by way of instruments that permit for customized code, equivalent to WordPress plugins like Easy Customized CSS and JS or the “Miscellaneous Scripts” part of the Magento admin panel.
“Custom script editors are popular with bad actors because they allow for external third party (and malicious) JavaScript and can easily pretend to be benign by leveraging naming conventions that match popular scripts like Google Analytics or libraries like JQuery,” safety researcher Matt Morrow stated.
The bogus Meta Pixel tracker script recognized by the online safety firm comprises comparable parts as its official counterpart, however a more in-depth examination reveals the addition of JavaScript code that substitutes references to the area “connect.facebook[.]net” with “b-connected[.]com.”
Whereas the previous is a real area linked to the Pixel monitoring performance, the substitute area is used to load a further malicious script (“fbevents.js”) that screens if a sufferer is on a checkout web page, and in that case, serves a fraudulent overlay to seize their bank card particulars.
It is price noting that “b-connected[.]com” is a official e-commerce web site that has been compromised in some unspecified time in the future to host the skimmer code. What’s extra, the knowledge entered into the faux kind is exfiltrated to a different compromised website (“www.donjuguetes[.]es”).
To mitigate such dangers, it is beneficial to maintain the websites up-to-date, periodically evaluate admin accounts to find out if all of them are legitimate, and replace passwords on a frequent foundation.
That is significantly necessary as risk actors are recognized to leverage weak passwords and flaws in WordPress plugins to realize elevated entry to a goal website and add rogue admin customers, that are then used to carry out varied different actions, together with including further plugins and backdoors.
“Because credit card stealers often wait for keywords such as ‘checkout’ or ‘onepage,’ they may not become visible until the checkout page has loaded,” Morrow stated.
“Since most checkout pages are dynamically generated based on cookie data and other variables passed to the page, these scripts evade public scanners and the only way to identify the malware is to check the page source or watch network traffic. These scripts run silently in the background.”
The event comes as Sucuri additionally revealed that websites constructed with WordPress and Magento are the goal of one other malware known as Magento Shoplift. Earlier variants of Magento Shoplift have been detected within the wild since September 2023.
The assault chain begins with injecting an obfuscated JavaScript snippet right into a official JavScript file that is liable for loading a second script from jqueurystatics[.]com through WebSocket Safe (WSS), which, in flip, is designed to facilitate bank card skimming and knowledge theft whereas masquerading as a Google Analytics script.
“WordPress has become a massive player in e-commerce as well, thanks to the adoption of Woocommerce and other plugins that can easily turn a WordPress site into a fully-featured online store,” researcher Puja Srivastava stated.
“This popularity also makes WordPress stores a prime target — and attackers are modifying their MageCart e-commerce malware to target a wider range of CMS platforms.”
