New Credit Card Skimmer Targets Popular CMS Platforms

A new credit card skimmer named Caesar Cipher Skimmer has been found targeting major content management systems (CMS) like WordPress, Magento, and OpenCart.

A web skimmer is a type of malware injected into e-commerce sites to steal financial and payment data.

According to the report, this latest campaign involves maliciously altering the checkout PHP file used by the WooCommerce plugin for WordPress (“form-checkout.php”) to capture credit card information.

“For the past few months, the injections have been modified to appear less suspicious than a long obfuscated script,” said security researcher. The malware tries to disguise itself as Google Analytics and Google Tag Manager.

The skimmer uses the substitution technique of the Caesar cipher to encode the malicious code into a scrambled string, hiding the external domain hosting the payload.

It’s believed that all affected websites were previously compromised through other means, allowing a PHP script named “style.css” or “css.php” to be placed on the site. This script mimics an HTML style sheet to avoid detection.

These scripts then load another obfuscated JavaScript code, which creates a WebSocket and connects to another server to retrieve the actual skimmer.

“The script sends the current webpage URL, enabling the attackers to send customized responses for each infected site,” researcher explained. “Some versions even check if a logged-in WordPress user is loading it and adjust the response accordingly.”

Some versions of the script contain comments in Russian, suggesting that the threat actors behind this campaign are Russian-speaking.

The WooCommerce form-checkout.php file is not the only method used to deploy the skimmer. Attackers have also been seen misusing the legitimate WPCode plugin to inject the skimmer into the website database.

For Magento websites, the JavaScript injections are performed on database tables like core_config_data. How this is achieved on OpenCart sites remains unclear.

WordPress and its extensive plugin ecosystem have become attractive targets for malicious actors due to their widespread use, providing easy access to a large attack surface.

To defend against the Caesar Cipher Skimmer and similar credit card skimming attacks, website owners should ensure all CMS platforms and plugins are kept up-to-date with the latest security patches. Implement strong password policies and two-factor authentication to secure admin accounts. Regularly audit your website for unauthorized changes and suspicious activity, including unknown scripts or administrator accounts.