Cybersecurity researchers have discovered a credit card skimmer hiding in a fake metapixel tracker script in an attempt to evade detection.
Sucuri said the malware was injected into the site through tools that allow custom coding, such as WordPress plug-ins such as simple custom CSS and JS, or the “Miscellaneous Scripts” section of the Magento admin panel.
Security researcher Matt Morrow said: “Custom script editors are popular with bad actors because they allow external third-party (and malicious) JavaScript and can be used by exploiting names that match popular scripts like Google Analytics or libraries like JQuery. The convention effortlessly pretends to be benign.”
The fake metapixel tracker script identified by the cybersecurity firm contained similar elements to its legitimate counterpart, but closer inspection revealed the addition of JavaScript code that replaced a reference to the domain “connect.facebook”[.]net” and “b-connection”[.]com. “
While the former is the real domain linked to the pixel tracking feature, the replacement domain is used to load an additional malicious script (“fbevents.js”) that monitors whether the victim is on the checkout page and, if so, provides fraud service coverage to get their credit card details.
It is worth noting that “b-connection[.]com” was a legitimate e-commerce website that at some point was compromised to host browser code. What’s more, the information entered into the fake form was infiltrated into another compromised website (“www.donjuguetes”)[.]es”).
To mitigate such risks, it is recommended to keep your website up to date, regularly check administrator accounts to determine if they are all valid, and update passwords frequently.
This is especially important as threat actors have been known to exploit weak passwords and flaws in WordPress plugins to gain increased access to target sites and add malicious admin users, who are then used to perform a variety of other Activities, including adding additional plugins and backdoors.
“Because credit card skimmers often wait for keywords like ‘checkout’ or ‘one page,’ they may not be detected until the checkout page loads,” Morrow said.
“Because most checkout pages are dynamically generated based on cookie data and other variables passed to the page, these scripts evade public scanners and the only way to identify malware is to inspect the page source or observe network traffic. These scripts are Silence runs in the page. Background.”
At the same time, Sucuri also revealed that websites built using WordPress and Magento are targets of another malware called Magento Shoplift. Early variants of Magento Shoplift have been spotted in the wild since September 2023.
The attack chain begins by injecting an obfuscated JavaScript fragment into a legitimate JavScript file, which is responsible for loading a second script from jqueurystatics[.]com via WebSocket Secure (WSS), which in turn is designed to facilitate credit card theft and data theft while masquerading as a Google Analytics script.
“WordPress has also become a major player in the e-commerce space thanks to the adoption of Woocommerce and other plugins that can easily transform a WordPress website into a fully functional online store,” said researcher Puja Srivastava.
“This popularity has also made WordPress stores a prime target – attackers are modifying their MageCart e-commerce malware to target a wider range of CMS platforms.”
