Web-Skimming attack affects 20,000 Customers on Home Improvement Site
The COVID-19 virus epidemic has seen a 23% rise in visitors to UK independent ecommerce sites. On a global scale, many companies have transitioned to fully ecommerce-based business practice and are seeing an increase in online shoppers. This paradigm shift in business continuity means websites are increasingly vulnerable to being attacked.
Our sources state that there has been a 20% increase in web-skimming attacks since the outbreak of the COVID-19 virus, and this month we have witnessed some high-profile Magecart attacks.
- Robert Dyas
On April 13th, Bleeping Computer reported that ecommerce sites powered by open-source plugin WooCommerce had been infected by web-skimming malware. The plugin has more than 5 million active installs and assists sites with ecommerce capabilities. WooCommerce has been attacked before, however in this previous attack hackers attempted to hack online stores by brute-forcing admin passwords.
The web-skimming attack was discovered following multiple reports of fraudulent credit card transactions from clients with ecommerce sites built using WordPress and WooCommerce. It is unknown how exactly the attackers got into the site however, it is speculated that it was through exploiting a software vulnerability in WordPress or WooCommerce.
The infection saves credit card information in plain text in the form of cookies. It then uses the legitimate ‘file_put_contents’ function to collect them into two separate image files which are saved in the ‘wp-content/uploads’ directory. As well as using several layers of encoding and concatenation to avoid detection, it also appears that the skimmer had self-cleaning abilities alike to the Pipka skimmer.
It was not reported how long this attack has been active, Security Researcher Ben Martin recommends to anyone concerned about the security of their WordPress website to disable direct file editing for wp-admin by adding the following line to their wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true );.
UK hardware site Robert Dyas suffered a web-skimming attack lasting over three weeks from 7th-30th March. In a Cyber Security post, the company explains; “We continue to investigate, as a matter of urgency, the theft of customer data between 7th March 2020 and 30th March 2020 from robertdyas.co.uk. The stolen data included personal and financial details of some customers during that period. This matter has been reported to the relevant authorities.” Robert Dyas have taken steps to close the vulnerability and are now “…continually monitoring the site and running security scans”.
A spokesperson for Robert Dyas told The Register “We are in touch with approximately 20,000 affected customers and are recommending they also contact their bank or card provider and follow their recommendations as a precaution.”
The final reported web-skimming attack in April was on vaping pen and accessory site – KandyPens. The attack was reported by Technadu on April 22nd, who explain that the company has informed the California State General Attorney Office of a data breach. The company discovered a skimmer on the checkout page in January 2020. The skimmer was active on the site for 11 months from March 7th, 2019 until February 13th, 2020. Information stolen included; name, card number, expiration date, and (CVV).
KandyPens explains in their Notice of Data Security Incident that they have now fixed the vulnerability and have increased website monitoring on their payment system.
RapidSpike security researchers have taken the time to investigate all Magecart attacks mentioned. We can confidently say our Attack Detection would have detected every attack. Attack detection takes less than 5 minutes to set-up and will alert you to any untrusted data on your ecommerce site.