WooCommerce is a WordPress-based, free plugin
It makes it incredibly easy to sell just about anything online with WordPress. WordPress is the most popular website development platform in the world. And with more than five million installations, WooCommerce is clearly a favorite within the WordPress eco-system. Unfortunately, its popularity also makes it an easy target.
Ben Martin and Willem de Groot are researchers with Sanguine Security. They found a new attack that specifically targets site owners with WooCommerce installed.0
The first indication that something was amiss was a spike in fraudulent credit card transaction reports from clients with WooCommerce installed. The company performed an integrity check on the core files of their impacted customers and found a number of JavaScript files with malicious code appended to them. An analysis of the code revealed it to be a new credit card skimmer that was cleverly designed to cover its own tracks.
Sanguine Security had this to say about the discovery
"Naturally, WooCommerce and other WordPress-based e-commerce websites have been targeted before, but this has typically been limited to modifications of payment details within the plugin settings. For example, forwarding payments to the attacker's PayPal email instead of the legitimate website owner. Seeing a dedicated credit card swiping malware within WordPress is something fairly new."
As for those JavaScript files
"The JavaScript itself is a little difficult to understand, but one thing that is clear is that the infection saves both the credit card number and the card security code in plain text in the form of cookies. As is typical in PHP malware, several layers of encoding and concatenation are employed in an attempt to avoid detection and hide its core code from the average webmaster."
If you own a business of any size and you use WooCommerce to handle your online sales, Martin recommends disabling direct file editing for wp-admin by adding the following line to your wp-config.php file:
"define( 'DISALLOW_FILE_EDIT', true );" (without the quotation marks).
Our perspective
While that won't offer bullet-proof protection, it will make your site more secure and harder for the attackers to hack.
~ As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there! " ~
Meanwhile, check out this report
This free executive report may give you insights into how to build your business with safe IT environments: 10 Hidden IT Risks That Might Threaten Your Business and 1 Easy Way to Find Them
The author
Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available on LinkedIn, Facebook, and Twitter.
I am Denis Wilson, President and Principal Consultant for DWP Information Architects. I help professionals grow their business by building a foundation of rock-solid information solutions for smaller healthcare, insurance, financial, legal, and nonprofits firms in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance. I am also a published author and speaker, working extensively with a variety of organizations, as well as providing small business technology education programs through business and professional associations. This just in: I will be speaking regularly at California Lutheran University's Center for Nonprofit Leadership starting in September.
Contact me if you would like me to speak at your association
