WooPayments Hack Alert!

Hi all, just a quick heads up. One of my clients had their site hacked at the weekend. Fortunately a ‘bug’ was spotted quickly by a customer and brought to my attention, so no damage done. But it could have been a lot worse.

Basically, someone installed a plugin - WP Headers and Footers and used it to add a script that overwrites the WooPayments module for it’s own. It’s essentially a digital ‘Card Skimmer’

It will look identical to the one you already have there!

No design elements are altered, only it’s function. The process seems to be;

Page loads, all looks relatively normal (no coloured icons though, just one grey Credit card icon, which most customers won’t think is a problem).
Customer tries to enter the card details and clicks submit.
Nothing visible happens.
Element reloads and the coloured icons reappear.
Thinking it was a bug, the customers tries again and the transaction completes normally.
On the orders side, one order goes through, all looks fine.
Payment goes through for the order, so nothing looking untoward there.
Customer carries on with their day, not thinking anything has happened.

I have checked everything I can, and confirmed the scripts process with WooCommerce directly.

Fortunately for us, we caught it early and, after my client tested a payment transaction prior to contacting me, we have some specific data to analyse. It would seem that the hacker is trying to read the card details, once this happens the script returns the WooPayments element back to normal so the transaction seems successful on a second submission following the first which seemingly did nothing.

That would mean neither the site owner, nor the customer would realise that a card skim had happened. That is until they checked their account and presumably see that 2 transactions had occurred. At which point they would get in touch with the seller and go from there. Alternatively the hacker may just try to empty the card account as quickly as possible.

From our initial investigation and analysis, I don’t think the script worked as well as they had hoped. My clients test transaction only had the one charge on it, and nothing else since. None of the customers that made a purchase during the short window the script was active have reported any additional unknown charges to their cards.

However, the hacker could have just been testing and refining.

Any questions, please let me know, I’ll get back to you as soon as possible.

P.S. Could have been a compromised Admin password or (according to Cloudways Vulnerability Scanner) the free Custom Product Tabs plugin which, according to Patchstack allows for Object and/or SQL injection.

lol

start with that first next time

the moment you lose your adminstrator role anything can happen doesnt matter the plugin…

change your title

Unfortunately, Cloudways can’t tell me a specific time, nor user from the logs. So I don’t know for sure how it was added. But there are 2 internal (myself and my client) and 2 external (one of which is WC tech support) Admins. So, possible but unlikely that was the cause, but all passwords changed anyway of course. It is more likely the plugin vulnerability.

Why change the title? The hack they employed is to specifically alter the way WooPayments works. If you have a better suggestion, lets have it

RCE is a big big vulnerability if really exist you will be hacked again (and many others) for sure

it will be clear in couple days if that is case

Totally agree. I’ve done pretty much all that I can to safeguard the site though. Cloudways’ malware protection, daily vulnerability scans, Patchstack protection etc.

The major problem is that, although it’s not perfect, my client refuses to add 2FA as he doesn’t want to upset his customers. I understand why, but a burglar always looks for the open window!

I add simple math captcha without even asking anyone

that blocks majority of automated vulnerability seeking bots but with AI that will change soon

there isnt a good AI Captcha invented yet