WordPress sites using the WooCommerce plug-in are targeted by credit card skimming criminals. It is the first time that these kinds of Magecart-like attacks targeting WordPress have been discovered.

The attacks were discovered by Sucuri security researcher Ben Martin. Sucuri received a report that fraudulent credit card transactions were taking place. Martin then discovered a code injection to steal both the credit card number and the card security code from consumers. The attacks modify a JavaScript file used by WordPress, making the code difficult to detect.

Stolen data is sent to two image files stored in the wp content/uploads folder and is automatically deleted when the hackers open the file.

Martin recommends companies to disable instant file editing for wp-admin in order to increase the security of their WordPress website. You can do this by adding the following line to your wp-config.php.file: define( ‘DISALLOW_FILE_EDIT’, true );”.

According to Martin, WooCommerce and other WordPress-based e-commerce websites have been targeted before, but this is usually limited to changing the payment data within the plug-in settings.

Online credit card skimming

Most people will think of ATMs that have been modified by criminals to copy and steal credit card details from unsuspecting people, when they hear credit card skimming. But online, a credit card can also be skimmed without people noticing anything. The best known hacking group stealing credit card data on a large scale is Magecart; they are responsible for the theft of payment details and personal information from 380,000 British Airways customers in 2018, among others. That same year, 40,000 Ticketmaster customers were also victims of web skimming.