Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label E-Commerce Websites. Show all posts

Critical Vulnerability in TI WooCommerce Wishlist Plugin Exposes 100K+ Sites to SQL Attacks

 

A critical vulnerability in the widely-used TI WooCommerce Wishlist plugin has been discovered, affecting over 100,000 WordPress sites. The flaw, labeled CVE-2024-43917, allows unauthenticated users to execute arbitrary SQL queries, potentially taking over the entire website. With a severity score of 9.3, the vulnerability stems from a SQL injection flaw in the plugin’s code, which lets attackers manipulate the website’s database. This could result in data breaches, defacement, or a full takeover of the site. As of now, the plugin remains unpatched in its latest version, 2.8.2, leaving site administrators vulnerable. 

Cybersecurity experts, including Ananda Dhakal from Patchstack, have highlighted the urgency of addressing this flaw. Dhakal has released technical details of the vulnerability to warn administrators of the potential risk and has recommended immediate actions for website owners. To mitigate the risk of an attack, website owners using the TI WooCommerce Wishlist plugin are urged to deactivate and delete the plugin as soon as possible. Until the plugin is patched, leaving it active can expose websites to unauthorized access and malicious data manipulation. If a website is compromised through this flaw, attackers could gain access to sensitive information, including customer details, order histories, and payment data. 

This could lead to unauthorized financial transactions, stolen identities, and significant reputational damage to the business. Preventing such attacks requires several steps beyond removing the vulnerable plugin. Website administrators should maintain an updated security system, including regular patching of plugins, themes, and the WordPress core itself. Using a Web Application Firewall (WAF) can help detect and block SQL injection attempts before they reach the website. It’s also advisable to back up databases regularly and ensure that backups are stored in secure, off-site locations. Other methods of safeguarding include limiting access to sensitive data and implementing proper data encryption, particularly for personally identifiable information (PII). 

Website administrators should also audit user roles and permissions to ensure that unauthorized users do not have access to critical parts of the site. Implementing two-factor authentication (2FA) for site logins can add an extra layer of protection against unauthorized access. The repercussions of failing to address this vulnerability could be severe. Aside from the immediate risk of site takeovers or data breaches, businesses could face financial loss, including costly recovery processes and potential fines for not adequately protecting user data. Furthermore, compromised sites could suffer from prolonged downtime, leading to lost revenue and a decrease in user trust. Rebuilding a website and restoring customer confidence after a breach can be both time-consuming and costly, impacting long-term growth and sustainability.  

In conclusion, to safeguard against the CVE-2024-43917 vulnerability, it is critical for website owners to deactivate the TI WooCommerce Wishlist plugin until a patch is released. Administrators should remain vigilant by implementing strong security practices and regularly auditing their sites for vulnerabilities. The consequences of neglecting these steps could lead to serious financial and reputational damage, as well as the potential for legal consequences in cases of compromised customer data. Proactive protection is essential to maintaining business continuity in the face of ever-evolving cybersecurity threats.

Online Thieves Target Legitimate Ecommerce CCTSites to Steal Credit Cards

 

In a recent Magecart credit card theft campaign, legitimate websites are taken over and used as "makeshift" command and control (C2) servers to inject and conceal skimmers on selected eCommerce sites.

An online store breached by hackers to insert malicious scripts that steal customers' credit cards and personal information while they are checking out is known as a "Magecart attack." 

The United States, the United Kingdom, Australia, Brazil, Peru, and Estonian organisations have all been penetrated, according to Akamai researchers following this campaign.

A further indication of the stealthiness of these attacks, according to the cybersecurity firm, is the fact that many victims haven't been aware they've been compromised for more than a month. 

Exploiting legitimate sites 

The initial step taken by the attackers is to find trustworthy websites that are vulnerable and hack them to host their malicious code and function as C2 servers for their attacks. 

Threat actors avoid detection and blockades and are spared from having to build up their own infrastructure by disseminating credit card skimmers through reputable, legal websites. 

The next step taken by the attackers is to insert a short JavaScript snippet into the target e-commerce websites that retrieves the malicious code from the previously compromised websites.

"Although it is unclear how these sites are being breached, based on our recent research from similar, previous campaigns, the attackers will usually look for vulnerabilities in the targeted websites' digital commerce platform (such as Magento, WooCommerce, WordPress, Shopify, etc.) or in vulnerable third-party services used by the website," researchers explained in the report. 

To enhance the attack's stealthiness, the threat actors developed the skimmer's structure to mimic that of Google Tag Manager or Facebook Pixel, which are well-known third-party services that are unlikely to draw attention. Base64 encoding also hides the host's URL. 

Data theft details 

Akamai claims to have observed two different skimmer iterations being used in the specific campaign. 

A number of CSS selectors that target consumer PII and credit card information are included in the initial version, which is highly obscured. For each site that was targeted, a different set of CSS selectors was created specifically for that victim. 

The second skimmer variant's lack of security allowed indicators in the code to be exposed, which allowed Akamai to map the campaign's distribution and identify more victims.

The data is sent to the attacker's server via an HTTP request formed as an IMG tag inside the skimmer after the skimmers steal the customers' personal information. The data also has a layer of Base64 encoding to obscure the transmission and lessen the chance that the victim will notice the breach. 

By safeguarding website admin accounts effectively and updating their CMS and plugins, website owners may fend off Magecart invasions. By adopting electronic payment methods, virtual cards, or restricting how much can be charged to their credit cards, customers of online stores can reduce the danger of data exposure.

Retail Cybersecurity Threats Analysis

 

Cybercriminals are increasingly focusing their attention on thriving markets and enterprises, and the retail industry is no exception. Retail is a common target for hackers who want to steal both money and client information.

Customers are directly responsible for the success of any retail firm, and every incident that negatively impacts customers will have an impact on business. Financial stability is a key component of any business's success, and one of the worst effects of cyberattacks is the unpredictability of financial losses. Retailers have unique financial risks, such as the possibility that an attacker will lower the price of pricey items in an online store. The retailer will lose money if the attack is undetected and the products are sold and shipped at a discounted price.

Card skimmers, unprotected point-of-sale (PoS) systems, unprotected or public Wi-Fi networks, USB drives or other physical hacking equipment, unprotected Internet of Things (IoT) devices, social engineering, and insider threats are all ways that threat actors can access companies after physically being present there.

Threat actors can also steal or hack susceptible IoT devices using the default technical information or credentials. Last but not least, there are still more potential entry points for cyber infiltration, including inexperienced staff, social engineering, and insider threats.

Potential Threats

Unsecured Point-of-Sale (PoS) Systems and Card Skimmers: It is possible to physically plant fake card readers, or 'skimmers,' inside a store to copy or skim card data. These can also be used for other smart cards, such as ID cards, although they are frequently used to steal credit card information. In places with poor security, like ATMs or petrol pumps, legitimate card readers might have skimmer attachments. Skimmers are simple to install and use Bluetooth to send the data they collect.

Public or insecure Wi-Fi Networks: Backdoors into a company's systems can be created using rogue networks or access points, which can be put on a network's wired infrastructure without the administrator's knowledge. In order to deceive users into connecting to them and aiding man-in-the-middle attacks, they seem to be legal Wi-Fi networks. Hackers can view all file sharing and traffic sent between a user and a server on a public Wi-Fi network if the facility has an encryption-free connection.

Virus-Carrying USB Devices: Once a USB drive is plugged into a target computer, an attacker can utilize it to deliver and run malware directly on business computers. This can be done manually or automatically. Additionally, malicious USB charging stations and cables have been reported in the past. In one example, a USB charging cable for an electronic cigarette contained a tiny chip that was secretly encased in malware.

Untrained Employees, Social Engineering, & Cyberespionage: Threat actors might work out of physical places to use inexperienced workers to get access to company systems. Employees are frequently duped into giving login passwords, account information, or access to company resources through social engineering.

The transition to e-commerce is generally a positive development for retailers. However, this change of direction also poses a threat to e-commerce cybersecurity.


MageCart Group12 Employing New Technique to Target E-Commerce Websites

 

MageCart Group12 is known for targeting e-commerce websites with the goal of skimming payment information from online shoppers and selling them on the dark web. The credit-card skimmer group is using PHP web shells to secure remote administrative access to the sites under attack to steal credit-card data, rather than using their previously favored JavaScript code, which they simply installed into vulnerable sites to log the information keyed into online checkout sites.

Researchers from Sucuri have learned that the scammers are saving their stolen credit-card data in .JPG files until they could be exfiltrated from compromised e-Commerce sites running Magento. Most users are stuck in an old version of Magento and are unable to upgrade because they do not have sufficient funds to hire the developer back once their site becomes out-of-date and vulnerable. 

The cost to migrate a Magento 1 website (which had its end of life in 2020) to the more secure Magento 2 ranges from $5,000 to $50,000. Researchers believe that Magecart will continue to evolve and enhance its attacking techniques as long as its cybercrimes keep turning a profit. 

“The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper .PNG format for a valid image file. The way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake .PNG file,” researchers explained. 

But in this new methodology, the phony favicon is used to load a PHP web shell. The web shell is harder to detect and block because it injects the skimmer code on the server-side, rather than the client side. “The creative use of the fake .JPG allows an attacker to conceal and store harvested credit-card details for future use without gaining too much attention from the website owner,” Luke Leal, a researcher at Sucuri stated.

“The latest techniques observed in these recent Magecart attacks show how the groups themselves are staying innovative by using previous techniques with new coding and tactics. The most recent findings highlight how difficult it may be for defenders to detect skimming activity itself without employing additional code reviews or other types of blocking and inspection, Sean Nikkel, senior cyber threat intel analyst at Digital Shadows told Threatpost. 

In September 2020, Magecart Group 12 hacked nearly 2,000 e-commerce sites in an automated campaign impacting tens of thousands of customers, who had their credit cards and other information stolen. Scammers employed the classic Magecart attack technique where e-commerce sites are injected with a web skimmer, which secretly exfiltrates personal and banking information entered by users during the online checkout process.