Three new payment card skimmers found aimed at WooCommerce installations

Web administrators overseeing retail sites using the WooCommerce platform should watch for new payment card skimmers that hackers are embedding in checkout pages.

The warning comes from security firm RiskIQ, which this week said it has found three new skimmers targeting e-retailers using the WooCommerce plugin for WordPress. It cited research by Barn2, a software company specializing in WordPress and WooCommerce products, saying WooCommerce represents 29 per cent of the top one million sites using e-commerce technologies, exceeding 5 million active installs of the free plugin as of early 2021.

RiskIQ describes the three new pieces of malicious code as

The WooTheme Skimmer

This was detected across five domains using a compromised WooCommerce theme. It’s “relatively simplistic and makes its functionality reasonably easy to understand.”

Operators obfuscated the skimming code in all discovered iterations, except one. However, this one instance appears to be in error, as RiskIQ detected the obfuscated skimmer on the same compromised domain before the clear text version appeared.

A separate researcher discovered this same skimmer in July, highlighting similar findings of an exfil domain within the theme’s function.php and the identical destination within the query.slim.js file.

The Slect Skimmer

Generic skimmers are repeatedly used across the same infrastructure, even by different threat actors, who add unique elements to the skimmer for their specific needs. For RiskIQ a minor change in a skimmer made it describe this one is new. In this case it’s a spelling error of the word “select” in the script. It’s also why researchers call it the ‘Slect’ skimmer.

Once the DOM content is fully loaded, the Slect skimmer does two things. It will look for a series of form fields that the skimmer does not want to pull data from, such as open text fields, passwords, and checkboxes. Next, an event listener listens for a click on a button, likely to evade sandboxing by security researchers.

The exfil domain found within the skimmer has been previously associated with other Magecart infrastructure and identified by RiskIQ research Jordan Herman as being used by a variant of the Grelos skimmer.

–The Gateway Skimmer

RiskIQ says this one has added multiple layers and steps by the actor to hide and obfuscate processes. The skimmer code is “massive and difficult to digest while obfuscated and runs a few unique functions observed in other skimmers.” Throughout different iterations of this skimmer, the word “gate” and “gateway” in .php and .js files, hence its name.

After peeling back the obfuscation throughout the legitimate code in this skimmer, RiskIQ researchers found a skimmer that it has been detecting since 2019. This skimmer even exfiltrates PII and credit card data to the same c2 domain as this familiar skimmer. “Interestingly,” the report adds, “this WooCommerce version of the Gateway skimmer looks specifically for a Firebug web browser extension (long since discontinued in 2017).”

As for how the sites were compromised, RiskIQ told it believes that weaknesses exist in the compromised clients’ use of poorly-vetted WooCommerce themes and unaudited third-party code. “This is explicitly true in the WooTheme skimmer, as we can see that the card skimmer is embedded into a malicious theme file, and the Slect and Gateway skimmers are both obfuscated and pasted into legitimate checkout javascript.”

Beyond having robust detections for malware, website operations should regularly inspect their crontab commands for strange contents, ensure that access permissions are correct, and audit file access to it.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now