Credit Card Skimmer and Backdoor Malware on WordPress E-commerce Site

As cyber threats evolve, e-commerce websites—especially those powered by WordPress and WooCommerce—are becoming prime targets for sophisticated malware attacks. A recent investigation uncovered a complex infection involving a credit card skimmer, a stealthy backdoor, and a reconnaissance script operating in unison to compromise an online store’s security and customer data.

Overview of the Attack

The attack was first detected when a WordPress site owner reported unusual files on their server and intermittent checkout malfunctions. Multiple customers noted suspicious credit card transactions following purchases, prompting a detailed malware analysis.

This incident revealed a multi-component cyberattack designed to:

• Steal sensitive financial data via a JavaScript credit card skimmer injected on the checkout page.
• Maintain prolonged, covert access through a PHP backdoor disguised as core WordPress files.
• Conduct ongoing surveillance with an information-gathering script to monitor infection status and gather server details.

Components of the Malware Attack

1. PHP-Based File Manager Backdoor

A critical element was a hidden PHP shell granting attackers full remote control over the server. This backdoor enabled functions like :

• Cookie-Activated Access: Visible only when a specific cookie is present, making it difficult to detect.
• Complete File System Control: Allows remote listing, editing, deletion, and uploading of files.
• Directory Traversal: Capability to navigate across the entire server file system.
• Timestamp Manipulation: Enables modification of file timestamps to conceal malicious activity.

Such backdoors are well-known vectors for persistent compromise, allowing attackers to deploy additional payloads or manipulate site content unnoticed.

2. Obfuscated JavaScript Credit Card Skimmer

The core payload was a heavily obfuscated JavaScript snippet embedded on the checkout page. Its primary function was to intercept and transmit customer payment details to a remote server controlled by attackers. Key features included:

• Anti-Debugging Techniques: Detects browser developer tools and disables itself to evade analysis.
• Event Monitoring: Activates exclusively on payment pages, capturing data in real-time.
• Form Field Surveillance: Targets confidential fields such as credit card number, expiration date, CVV, and billing information.
• Stealthy Data Exfiltration: Encodes and sends stolen data disguised as a benign image request to malicious domains.

The exfiltration URL mimics standard web resource requests, complicating detection by conventional security tools.

3. API-Driven Reconnaissance Script

This additional malicious script was designed for continuous surveillance, verifying the infection’s status by checking for specific admin users and scanning for key strings in files. This information helps attackers monitor and maintain control over compromised environments.

Indicators of Compromise (IOCs)

• Malicious IP Addresses: 104.194.151.47 and 185.247.224.241
• Suspicious Domains: imageresizefix[.]com and imageinthebox[.]com

Security solutions have blocklisted these indicators to prevent further spread and reinfection.

Motivations Behind the Attack

Given the targeted nature, this attack was likely orchestrated by financially-driven cybercriminals. Their objectives include:

1. Financial Theft: Harvesting credit card data for unauthorized transactions or resale on underground markets.
2. Long-Term Server Control: Utilizing backdoor access for ongoing exploitation or further malware deployment.
3. Platform Expansion: Using infected servers as bases to launch additional attacks or host malicious content.

Potential Consequences of the Infection

The repercussions of such malware infections extend beyond immediate data theft, including:

• Substantial Financial Losses: Both merchants and their customers may suffer direct monetary damage.
• Severe Reputational Harm: A breach erodes consumer trust and can deter future business.
• PCI DSS Compliance Issues: Data breaches may cause violations of payment card industry standards, leading to fines and liabilities.
• Operational Disruption: Attackers can manipulate site content and functionality or cause data loss.
• SEO and Traffic Damage: Malware infections often inject spam and malicious links, severely impacting search rankings.

Strategies for Mitigating and Preventing Attacks

To bolster security and reduce risk, e-commerce site administrators should implement the following best practices:

• Comprehensive Malware Scanning and Removal: Use advanced security tools to identify and clean infections promptly.
• Force Password Changes: Reset all administrative and database access credentials immediately after detecting an infection.
• File Integrity Monitoring: Deploy monitoring systems to alert on unauthorized file changes.
• Implement Web Application Firewalls (WAF): Protect against common web threats and block malicious traffic.
• Regular Security Audits: Conduct thorough reviews to identify and remediate vulnerabilities.
• Keep Software Updated: Ensure WordPress core, plugins, and themes receive timely updates and patches.
• Secure Payment Gateways: Properly configure and maintain payment processing modules.
• Employ Two-Factor Authentication (2FA): Enhance login security on administrative accounts.
• Apply Principle of Least Privilege: Restrict user permissions to essential functions only.
• Blocklist Known Malicious IPs and Domains: Proactively prevent communication with attacker infrastructure.

Conclusion

This case vividly illustrates how advanced malware campaigns blend credit card skimming, persistent backdoor access, and reconnaissance scripts to maximize impact and financial gain. With the rise of e-commerce, maintaining stringent cybersecurity standards, especially around payment processing and server access, is critical.

Timely security measures, including regular scans, updates, and access controls, are essential to safeguard WordPress e-commerce sites against evolving threats. Awareness and proactive defense remain the best tools to protect sensitive customer data and maintain operational integrity in today’s digital marketplace.

Further Reading and Resources

• PCI Compliance Guidelines
• OWASP Top 10 Security Risks
• Removing Backdoors in WordPress
• Center for Internet Security Controls

Sources: Verizon 2024 Data Breach Investigations Report, SANS Institute, OWASP, PCI Security Standards Council.