Criminals attack WordPress websites that use the WooCommerce plugin. With that, they hope to steal credit card information from online shoppers. The attackers inject malware into the WordPress site.
The first signs of the WooCommerce attacks were spotted a few days ago by security researcher Ben Martin, who blogged about it after his security company received customer complaints. WooCommerce is a popular free WordPress plugin that allows merchants to implement their own payment module. Martin found that criminals were able to penetrate WordPress installations in various ways and add malware to standard JavaScript files. “Of course, it is not the first time that WooCommerce and WordPress have been attacked,” writes Martin. “But mostly that was limited to adjusting the payment information in the plug-in settings.”
According to Martin, in the current cases, websites are actually infected. This happened because code was hidden in JavaScript files that allowed the attackers to store the credit card number and CVV security code in plaintext in cookies, the researcher writes. The malware was stored in the files of the website itself and not loaded from, for example, an external server, which is usually the case. It is not known exactly how many websites have been affected by the malware. WooCommerce runs on over five million sites.
The researcher was unable to discover how the attackers managed to infect the websites in the first place. “That could be a compromised wp-admin account, stealing an sftp or hosting password, or accessing vulnerable software within the site.” Martin does give tips on how to prevent an attack. This can be done by making sure that the wp-admin files cannot be modified just like that, namely by define(‘DISALLOW_FILE_EDIT’, true ); to wp-config.php.