Cybersecurity researchers have found a credit card skimmer embedded in a fake Meta Pixel tracker script to avoid detection.
Sucuri disclosed that this malware is introduced into websites through tools that allow custom code, like WordPress plugins such as Simple Custom CSS and JS or the “Miscellaneous Scripts” section of the Magento admin panel.
Security researcher Matt Morrow mentioned, “Custom script editors are popular with bad actors because they allow for external third party (and malicious) JavaScript and can easily pretend to be benign by leveraging naming conventions that match popular scripts like Google Analytics or libraries like JQuery,” in a statement.
The fake Meta Pixel tracker script identified by Sucuri resembles its legitimate version, but closer inspection showed JavaScript code alterations replacing references to “connect.facebook[.net” with “b-connected[.]com.”
Even though the former is a real domain linked to Pixel tracking, the substituted domain is used to load a harmful script (“fbevents.js”) that detects if a person is on a checkout page and presents a fake overlay to collect credit card details.
Threat actors often exploit weak passwords and WordPress plugin vulnerabilities to gain elevated access to a site and add rogue admin users, leading to various illicit activities such as adding plugins and backdoors.
Morrow emphasized, “Credit card stealers may not be visible until the checkout page is loaded since they typically monitor ‘checkout’ or ‘onepage’ keywords. These scripts run in the background and can only be identified by checking the page source or network traffic.”
The discovery coincided with Sucuri’s revelation of a malware targeting sites using WordPress and Magento named Magento Shoplift, with earlier versions detected in September 2023.
The attack begins by injecting an obfuscated JavaScript code into a genuine file that loads a second script from jqueurystatics[.]com via WebSocket Secure (WSS) to enable credit card skimming and data theft, masquerading as a Google Analytics script.
Puja Srivastava, a researcher, noted, “WordPress has gained popularity in e-commerce with plugins like Woocommerce; however, this popularity has made WordPress stores a prime target for attackers, who are adapting their MageCart e-commerce malware to exploit a wider range of CMS platforms.”