The holiday season is approaching, and so are the Magecart thieves. Surprisingly, these assailants have become more aggressive than ever before, with each attack occurring every 16 minutes.

The Magecart hackers have recently targeted merchants which use the WooCommerce WordPress plugin. This open-source WordPress plugin is easy to customize and provides for 29% of the top one million websites that use e-commerce technology. Because of its increasing popularity, the plugin is now vulnerable to a Magecart attack.

Three additional skimmers targeting merchants utilizing the WooCommerce plugin have been discovered by RiskIQ researchers. The three skimmers, known as WooTheme, Slect, and Gateway, were created to avoid detection and allow attackers to steal clients’ financial information. The skimming scripts were launched onto the sites by exploiting vulnerabilities in third-party themes and technologies integrated into WooCommerce pages.

The WooTheme skimmer code was identified in five domains utilizing a hacked WooCommerce theme, which was first reported in July. The skimmer code appeared to be in the hacked domain’s ‘error’ area on one website. To remain undetected on infected sites, the Slect skimmer exploits a spelling typo in the script’s word ‘select.’ Once the malicious code has been injected, it searches for open text fields, passwords, and checkboxes on the form. 

Multiple layers of obfuscation methods are used in the Gateway skimmer, making it difficult to detect by security researchers. To avoid detection, it employs the words ‘gate’ and ‘gateway’ in PHP and JavaScript codes. According to experts, the Gateway skimmer’s WooCommerce checks for a Firebug web browser extension that was decommissioned in 2017.

New skimmers have been discovered, demonstrating how cyber attackers are inventing new techniques to obtain access to, install, and conceal their tools on targeted websites. As a result, merchants must improve their preparedness for credit card skimming threats. Aside from that, having effective malware detection mechanisms and periodically examining crontab instructions for unusual contents might help to limit the danger of such assaults.