Recently a client of ours was reporting a bogus checkout page appearing on their website. When trying to access their “my-account” page an unfamiliar prompt appeared in their browser soliciting credit card billing information:
This form was foreign to our client and was clearly placed during a website compromise. Interestingly, the website itself doesn’t even accept payments at all. If this was an attempt at a targeted credit card theft infection (as quite a few of them are) then the attackers best choose more carefully next time!
In viewing the source of the webpage no instance of “apiujquery” was anywhere to be seen. Sure enough, the attackers were using an obfuscation technique often seen with credit card skimmers: atob
This domain was registered on August 8th of this year using the Eranet registrar:
$ whois apiujquery[.]com Domain Name: APIUJQUERY.COM Registry Domain ID: 2631247943_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.eranet.com Registrar URL: http://www.eranet.com Updated Date: 2021-08-03T17:46:52Z Creation Date: 2021-08-03T17:46:52Z
Unlike many malicious domains the attackers didn’t bother to hide their DNS behind a CDN or reverse proxy. We can see that it is hosted at an OVH Virtual Private Server located in France:
$ host apiujquery.com apiujquery.com has address 184.108.40.206
Using Maltego with the VirusTotal extension we can also see that this domain is involved with distributing an Android Trojan:
Four vendors currently flag this as malicious:
Finding the Source
Back to the issue at hand! The question remained: Where was the infection hiding within the website?
Querying the file system instead we were able to locate the malware injected into the theme’s header.php file:
Credit card skimmer injected into the header.php file of the website’s WordPress theme
That was enough to eliminate the infection, but there was more here to check out before we consider the case closed. Most notably, this infection was coupled with a malicious user lodged in the database:
With the user name “yoseftyrnauer” and an email address with an @gamil.com address. Whether this was a typo or an attempt at giving the impression of a GMail account, we’ll never know!
Analysing the Source
In this case it seems that the attackers wanted to avoid prying eyes and blocked this file from the public:
403 Forbidden means somebody doesn’t want us to see this
However, we know that this file can be read from the infected website, right? With some basic wget tomfoolery we were able to download the file to our local sandbox by spoofing the referrer to match the page on the infected site where the credit card theft was occurring:
Let’s take a look, shall we?
The top of the screen capture above shows the input fields listed in plain text (credit card details, address, etc).
order checkout commande cart direccion minha-conta account checkout compra registreren orderby critcart descartables
If any of these words are used in a URL on the target website the malware will load. This explains why the malware was triggered by the “my-account” URL on our client’s website even though the website did not handle credit card details or accept payments.
In addition to English we also see the usage of French, Portuguese, Spanish and Dutch terms, suggesting that this malware is likely targeting European websites.
Source of the Infection
In checking the files that were modified around the estimated date of the compromise no backdoors or additional malware was found. The website did have over a dozen administrator users, however, so it’s likely that the source of the infection was a brute-forced admin account. Once the attackers have established a foothold into the admin area they are able to edit files using the built in file-editor, which is enabled by default.
WordPress website owners can protect themselves against these types of attackers by hardening their wp-admin panel and avoiding the usage of default, out-of-the-box configurations. We recently released a guide on how to protect your WordPress website from attacks without the need for any paid features or services.
To read the original article: https://blog.sucuri.net/2021/11/woocommerce-skimmer-spoofs-checkout-page.html