Card Not Present Fraud , Fraud Management & Cybercrime

Credit Card Stealer Targets WordPress Payment Plug-Ins

MageCart Operators Hide Infection in Legitimate Payment Processing Software
Credit Card Stealer Targets WordPress Payment Plug-Ins
Image: Shutterstock

Hackers have repurposed credit card-stealing malware to attack WordPress websites that use a popular e-commerce plug-in to capture and steal payment card details, security researches warn.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Attackers are deploying modified MageCart malware against WordPress websites that use the WooCommerce shopping cart plug-in, says website security firm Sucuri. WordPress plug-in developers Barn2 calculate that more than 40% of "all known online stores" use the plug-in.

An "overwhelming majority" of credit card-skimming malware that Sucuri finds on compromised e-commerce environments target WooCommerce. The modified MageCart injects PHP code into a plug-in file that facilitates the handling of payment data to, a popular Visa-owned payment gateway often used in conjunction with WooCommerce. The injected code checks whether web traffic from infected websites contains a string for payment card numbers. If it does, it dumps an encrypted copy of the card number into a .jpg file for later downloading.

"Dumping stolen credit card info to an image file is an old trick that we have identified attackers doing for quite a few years," Sucuri writes.

The vulnerabilities in question don't originate with WooCommerce or, Sucuri says, and instead highlight the importance of good website security.

The modified MageCart malware also injects JavaScript into the payment gateway code to capture data such as cardholder name, address, phone number and postal code - data that increases the value of stolen payment card data on the black market.

The malware emulates the WordPress Heartbeat API to evade detection, Sucuri says. MageCart derives its name from its original target, the Magento e-commerce platform. Hackers have used it to breach British Airways, unsecured Amazon Web Services cloud storage accounts and jewelry chain Claire's.

Sucuri says it found the modified MageCart malware after a client received a warning from their bank that their website had been identified as potentially compromised since cards used legitimately on the client website had later been used fraudulently.

"If malicious actors compromise an environment they can tamper with existing controls," irrespective of a plug-in's security controls, Sucuri says.

About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.