WordPress sites using the popular WooCommerce plugin are being targeted by credit card skimming code, the first time that Magecart-like attacks have been discovered targeting the content management system.

Discovered late last week by security researcher Ben Martin at Sucuri, the attacks involve the injection of JavaScript to steal both the credit card number and card security code of those making purchases from a targeted site.

Martin noted that although WordPress has been targeted before in payment attacks, they usually involve changes such as forwarding payments to the attacker’s PayPal address. Dedicated credit card swiping malware on WP is described as “something fairly new.”

Despite having some similarities to Magecart attacks, the attacks targeting WordPress installations with WooCommerce modify a normally benign JavaScript file that is used by WordPress as opposed to trying to insert the code from the third-party service. That made the code difficult to see since the malware “lodged itself within an already existing and legitimate file making it a bit harder to detect.”

Stolen data is sent to an image file that is stored in the wp-content/uploads directory but is later auto-deleted when accessed by the attackers, an added level of sophistication.

“Third-party plugins are always a high-value target for criminals, as it’s an easy way to access hundreds to thousands of sites through manipulating the code at the source where the plugin is developed,” James McQuiggan, security awareness advocate at security awareness firm KnowBe4 Inc., told SiliconANGLE. “Organizations want to make sure they educate and train their developers to analyze and verify all third-party plugins for unusual activity through the quality and analysis testing process before releasing new updates. Like a home, the website must be secured, and one easy way is to verify the plugins and software regularly.”

Image: WooCommerce