Popular content management platforms (CMS) such as WordPress, Magento, and Opencart are now being targeted by a new form of credit card skimmers known as “Caesar Cipher Skimmer.”
These web-skimmers are malicious software that infiltrates e-commerce sites to steal financial and payment information.
According to a recent report by Sucuri, the latest attack campaign includes making harmful changes to the PHP file associated with the WOOCOMMERCE plugin for WordPress. Hackers are using the file “Form-checkout.php” to steal credit card data.
Security researcher Ben Martin mentioned that injections have become less suspicious over time, with attempts to disguise the code by masking Google Analytics and Google Tag Manager.
The skimmer is named after the Caesar Cipher encryption method used by Julius Caesar. Attackers use this method to obfuscate the harmful code inside the text and hide the domain used to store the payload. Compromised sites previously had scripts named “Style.css” and “CSS.PHP” placed to imitate HTML style and avoid detection.
The scripts load a dedicated JavaScript code that creates WebSocket and connects to another server to obtain the skimmer. It can send the URL of the current page to attackers who can then send tailored responses for each infected site. Some versions of the script even check if the WordPress user has administrator rights and adjust the response accordingly.
Aside from targeting the Form-checkout.php file in WooCommerce, attackers are also using the WPCode plugin to deploy the skimmer into site databases. In Magento sites, JavaScript injections are found in database tables like “Core_Config_DATA.” The infection method for Opencart sites is still unknown.
With WordPress being widely used and having numerous plugins, it has become a prime target for attackers due to the extensive attack surface it provides. Site owners are advised to regularly update CMS and plugins, enhance password security, and conduct audits for suspicious administrator accounts.