MageCart takes its name from the Magento e-commerce CMS platform, which we have written extensively about on this blog. The MageCart credit card theft malware as we know it today has its origins around 2014/2015, and attacks have since evolved to include other platforms such as OpenCart, Prestashop, and more recently, WordPress. By checking our SiteCheck data, we can see that as of July 2021, WordPress has overtaken Magento in the total number of credit card skimmers detected.
There are a few caveats to this data, namely that it only includes outward-facing skimmers (not PHP, backend skimmers) and also does not include simple
Only a matter of time
Our first mention of WordPress credit card skimming dates back to 2013, and then more recently in 2019 when we started to see the platform increasingly targeted by these types of attacks.
According to statistics provided by Barn2, as of this year 2022, around 40% of eCommerce websites are using WooCommerce (the most popular WordPress eCommerce plugin) as their platform.
Attackers follow the money, so it was only a matter of time before they zeroed in on the most popular e-commerce platform on the web. I’m only surprised it took so long for this to happen!
The attackers probably initially started targeting the Magento platform due to its concentration as a purpose-built e-commerce platform. 100% of Magento websites will handle payment information, while only a much smaller portion of WordPress websites will. However, it is quite easy to determine whether or not a WordPress website is an e-commerce site, based on site pages such as to verify, Cart, and Account, for example.
Attackers seem to have realized this, and it shows in the data.
What types of skimmers?
Three top malware signatures account for around 40% of all credit card skimmers detected since January 2021. All three are most commonly found on WordPress websites.
Although signature names specify Magento, they also affect other platforms like WordPress and OpenCart
Let’s take a look at them, shall we?
Spoofed payment page
This malware we talked about last year. It generates a fake payment page on any URL containing one of the following strings:
order checkout commande cart direccion minha-conta account checkout compra registreren orderby critcart descartables
The malware is usually injected into the header.php active theme file on websites, and contains a base64 encoded payload:
The exfiltration domain used in the attack is apijquery[.]com and we can see that the malware is still very active today.
Fake Google Analytics script
In second place is a fake/fake script injected by Google Analytics. At first glance, it appears to be a standard Google Analytics script, which is almost ubiquitous on the web. However, knowledgeable readers will notice the same a to B( function used to encode the exfiltration domain.
This malware is usually injected into the database, which can be easily achieved through the WordPress admin dashboard through the use of widgets, or by injecting the wp_posts content of the payment page.
In this case, the exfiltration domain is ajaxstatic[.]com, or at least that was when the malware was first identified. They probably moved on to new areas for newer infections.
Fake Facebook tracking pixel
In third place is a credit card skimmer posing as a Facebook/Meta tracking pixel, also injected into victim databases.
Again we see the same a to B( obfuscation and exfiltration domain was form statistics[.]we
Another base64-encoded component of the malware decodes to to verify so the only time the malware will load will be on the to verify page, which makes it slightly harder to detect.
What happens to stolen cards?
In comparison, PHP-based skimmers work in the back-end and wipe credit card details using PHP functions like cURL. These are not visible to browsers or external scanners like SiteCheck.
Once enough card numbers have been stolen, attackers also quite often test credit cards on other e-commerce websites. A small transaction of $1 will be made to confirm that the card is still active. Once confirmed, they are sold on the black market. Stolen card details are surprisingly cheap, sometimes as low as $3-5 each. The low price is because these cards have a very short lifespan and are often canceled by the cardholder or frozen by the financial institution soon after noticing suspicious activity.
Even with only around 10% e-commerce market share, Magento has remained at the top of detected credit card readers through 2021. Given that WooCommerce has been the market share leader for quite some time, I am surprised it took the attackers so long to shift their focus.
That’s not to say there’s anything inherently wrong with WordPress or WooCommerce – they’re both great pieces of software – it just shows that attackers are going after wherever they can make a profit. Threat researchers should also take note and adjust the orientation accordingly.
If you own an e-commerce website, be aware of the risks and take appropriate steps to protect your website and the data passing through it. This will by extension help your customers as well as the reputation of your website and business.
Be sure to check out our article on securing the WordPress admin dashboard. You can also use our firewall to prevent attacks on your website!