Advanced Cyber Attack Exposes Skimmers on WordPress and WooCommerce

A recent investigation by the Wordfence Threat Intelligence Team has revealed a sophisticated and adaptable malware family affecting WordPress and WooCommerce sites.

Active since at least September 2023, this attack demonstrates a new level of technical cunning, leveraging both front-end JavaScript skimmers and rogue PHP-based backend systems.

Technical Sophistication and Anti-Analysis

The malware is notable for its layered anti-analysis and evasion tactics. Almost all samples use identical obfuscation and employ several advanced techniques to thwart detection:

• Developer Tools Detection: The malware monitors for browser developer tools (like Chrome DevTools or Firefox Developer Tools). If detected, it alters its behavior to evade analysis. The code checks window dimensions for anomalies associated with the DevTools sidebar and uses custom events to signal any detected issues.
• Anti-Debugging: Samples include infinite loops (while (true) {}) and debugger traps (debugger statements), designed to disrupt or freeze browsers during analysis sessions.
• Shortcut Blocking: The code disables F12, Ctrl+Shift+I/J (common DevTools shortcuts), and right-click menus, further hindering manual investigation.

Additional techniques include the dynamic console method, which rebinds to confuse analysts, and targeted execution, ensuring the malware only runs in checkout or non-admin areas. It also utilizes cookies to avoid repeat attacks on the same users.

Attack Mechanics and Payload Diversity

The malware framework is designed for versatility, supporting multiple types of malicious activity:

• Credit Card Skimming: At its core, the malware intercepts payment and billing data from WooCommerce forms, either by injecting fake forms or overlays or by subtly capturing legitimate form submissions. Data is combined, Base64 encoded, and sent to attacker-controlled servers, often as an image request to bypass Content-Security-Policy (CSP) restrictions.
• Credential Theft: Variants specifically target WordPress login pages, capturing usernames, passwords, and additional browser and session data, which is similarly exfiltrated.
• Malware Distribution: Some versions replace download links on infected sites, redirecting users to malicious payloads, or distribute fake Google Ads and other deceptive content, especially to mobile users.
• Telemetry and Profiling: Advanced variants profile users, collecting device, OS, and browser data, and even utilize Telegram bots for real-time data exfiltration.

The malware’s evasion is further enhanced by using localStorage for configuration persistence and implementing fake user verification challenges that mimic Cloudflare or other security services.

Rogue Plugin Tactics and Backend Access

Perhaps most concerning, the malware is packaged as a seemingly legitimate “WordPress Core” plugin. The plugin’s structure mimics genuine development practices but hides a skimmer in its public script and uses PHP to manipulate backend functions:

• Backend Manipulation: Custom hooks auto-complete fraudulent transactions, moving orders to “completed” status to delay detection.
• Data Collection: The plugin creates a custom post type for storing stolen data, accessible via a fake “My Account” section.
• Plugin Deception: The plugin description and codebase are intentionally vague or contain errors (such as “Wordpress Core” instead of “WordPress Core”), a sign of automated or amateurish generation, likely leveraging AI-assisted code writing or public code snippets.

This attack highlights the increasing complexity and adaptability of web skimmers, underscoring the need for robust, multi-layered security.

Site owners should ensure they use reputable security solutions, update plugins regularly, and remain vigilant for suspicious activity, especially on checkout pages or login forms.

Wordfence has released detection signatures to its premium users, with free users gaining access after a 30-day delay.

The indicators of compromise include numerous suspicious domains and a Telegram bot API endpoint used for data exfiltration.

As skimmers become more advanced, staying informed and proactive is the best defense against them.

Indicators of Compromise

advertising-cdn\.com

api-service-188910982\.website

blastergallery\.com

chaolingtech\.com

contentsdeliverystat\.com

deliveryrange\.pro

emojiselect\.info

graphiccloudcontent\.com

​​imageresizefix\.com