The digital age has transformed the way businesses operate, with e-commerce becoming an integral part of the global economy. Platforms such as WordPress, Magento, and OpenCart are widely used by businesses to create and manage online stores. However, this increased reliance on digital platforms has also led to a rise in cyber threats. One of the latest threats targeting these platforms is the Caesar Cipher Skimmer, a sophisticated credit card web skimmer designed to exploit vulnerabilities in popular content management systems (CMS). This document provides an in-depth analysis of the Caesar Cipher Skimmer, detailing its technical aspects, security impact, and offering comprehensive mitigation strategies to protect e-commerce websites.

Technical Details

• Security Impact: The Caesar Cipher Skimmer is a malicious piece of software designed to infiltrate e-commerce platforms and steal sensitive financial information, such as credit card details, from customers during the checkout process. This type of attack can have severe consequences, including:
• Sensitive Data Theft: The primary goal of the skimmer is to capture and exfiltrate credit card information and other personal data.
• Financial Loss: Unauthorized transactions and financial fraud can lead to significant monetary losses for both customers and businesses.
• Reputational Damage: A breach of customer data can severely damage a company’s reputation, leading to loss of trust and potential legal repercussions.
• Unauthorized Access: By exploiting vulnerabilities in the CMS, attackers can gain unauthorized access to the website’s backend, potentially leading to further compromises.

Affected Products

The Caesar Cipher Skimmer has been identified across several popular CMS platforms, each with its specific method of exploitation:

• WordPress: The skimmer primarily targets the WooCommerce plugin by modifying the “form-checkout.php” file. This file is crucial for the checkout process, making it an ideal target for stealing credit card data.
• Magento: Attackers manipulate the core_config_data database table to embed malicious JavaScript. This table is integral to the site’s configuration, and any compromise can have widespread effects.
• OpenCart: While specific infection methods on OpenCart are not fully documented, the platform’s vulnerability to similar attacks suggests that attackers can easily adapt their methods to exploit it.

Threat Vulnerability

The Caesar Cipher Skimmer exploits several vulnerabilities in CMS platforms:

• Outdated Software: Many e-commerce sites run outdated versions of CMS platforms and plugins, which may contain known vulnerabilities.
• Weak Administrative Credentials: Poor password hygiene and weak administrative credentials can provide attackers with an easy entry point.
• Lack of Monitoring: Without proper monitoring tools, unauthorized changes to website files and databases can go unnoticed.
• Obfuscated Scripts: The skimmer uses obfuscated JavaScript, often masquerading as legitimate code (e.g., Google Analytics or Tag Manager) to avoid detection.
• Caesar Cipher Encoding: The malware uses Caesar cipher encoding to disguise the malicious payload and the external domain hosting it, making detection more challenging.

Attack Methodology

• Initial Compromise

The initial stage of the attack involves compromising the target CMS platform. This is often achieved through previously exploited vulnerabilities or by gaining access via weak administrative credentials. Attackers may use phishing campaigns, brute force attacks, or exploit known vulnerabilities in outdated software to gain entry.

• Payload Deployment

Once the attackers gain access, they deploy malicious PHP scripts disguised as legitimate files. These scripts, often named “style.css” or “css.php,” mimic HTML style sheets to avoid detection by security tools. The scripts are strategically placed in plugin directories or other locations within the website’s file structure.

• Script Injection

The next phase involves injecting obfuscated JavaScript code into critical files associated with the checkout process. For example, in WooCommerce, the attackers modify the “form-checkout.php” file. The injected code creates a WebSocket connection to a remote server, allowing the attackers to fetch additional payloads and transmit harvested data back to their server.

• Data Harvesting

During the checkout process, the skimmer captures credit card details and other sensitive information entered by customers. This data is then transmitted to the attacker’s server through the established WebSocket connection. The obfuscated nature of the code and its resemblance to legitimate analytics scripts make it difficult to detect.

• Evading Detection

To avoid detection, the skimmer employs several techniques:

1. Caesar Cipher Encoding: The malware encodes its payload using Caesar cipher, a simple encryption method that shifts characters by a fixed value. This disguises the actual code and the external domain hosting it.
2. Mimicking Legitimate Scripts: By masquerading as Google Analytics or Tag Manager scripts, the skimmer blends in with legitimate traffic, reducing the likelihood of being flagged by security tools.
3. Layered Obfuscation: The initial script loads another layer of obfuscated JavaScript, which creates a WebSocket connection and fetches yet another layer of the skimmer. This multi-layered approach complicates detection and analysis.

Indicators of Compromise (IOCs)

Security researchers have identified several indicators of compromise (IOCs) associated with the Caesar Cipher Skimmer. These include:

• Suspicious PHP Files: Files named “style.css” or “css.php” located in plugin directories or other unusual locations.
• Obfuscated JavaScript: Presence of obfuscated scripts in checkout-related PHP files, especially those resembling legitimate analytics scripts.
• External Domains: Malicious domains used to host the payload, such as:

1. https://cdn.googleetagmanager.com/style.css?ver=1.2.102.1
2. https://cdn.googletagmanager4.com/style.css?v=1.0.0
3. https://backendsports.xyz/4ra/01/css.php?ver=2.0
4. https://patilcomputers.com/wp-content/themes/shopic-child/css.php?ver=2.0
5. https://ilegkenya.org/acs/css.php?ver=2.0
6. https://brightaems.com/wp-content/themes/educator-education/css/css.php?ver=2.0
7. https://thepioneerbank.com/wp-content/themes/twentytwentytwo/css.php?ver=2.0
8. https://flyfishinguide.co.nz/css/css.php?ver=2.0

Detection and Analysis

Researchers from Sucuri have played a crucial role in identifying and analyzing the Caesar Cipher Skimmer. Through their efforts, they have uncovered the intricate methods used by the skimmer to evade detection and capture sensitive data. Key findings include:

• Obfuscated Scripts: The use of heavily obfuscated JavaScript that mimics legitimate analytics scripts to blend in with regular traffic.
• Caesar Cipher Encoding: The unique use of Caesar cipher encoding to disguise the payload and the external domain, complicating detection efforts.
• Russian Comments: Comments in Russian found in older versions of the script, suggesting that the threat actors may be Russian-speaking.
• Layered Obfuscation: Multiple layers of obfuscation and the use of WebSocket connections to fetch additional payloads dynamically.

Affected Platforms

The Caesar Cipher Skimmer has been detected on several popular e-commerce platforms, each with unique methods of compromise:

• WordPress: On WordPress, the skimmer primarily targets the WooCommerce plugin. The attackers modify the “form-checkout.php” file, a critical component of the checkout process. By injecting obfuscated JavaScript into this file, they can capture credit card details entered by customers during the checkout process. Additionally, the skimmer has been observed using the Insert Headers and Footers WPCode plugin to insert malicious code into the website’s headers and footers.
• Magento: In Magento, attackers manipulate the core_config_data database table to embed malicious JavaScript. This table is crucial for the site’s configuration, and any compromise can have widespread effects. The skimmer’s ability to inject code directly into the database highlights the importance of securing database access and monitoring for unauthorized changes.
• OpenCart: While specific methods of compromise on OpenCart are not fully documented, the platform’s vulnerability to similar attacks suggests that attackers can easily adapt their methods to exploit it. The lack of detailed documentation on OpenCart compromises underscores the need for vigilance and proactive security measures.

Remediation Steps:

1. Keeping CMS and Plugins Updated: Regularly updating your CMS platform, plugins, and themes to the latest versions is crucial. Developers frequently release updates to address security vulnerabilities and improve overall performance. By keeping your software up-to-date, you can mitigate many of the vulnerabilities that attackers exploit.
2. Strengthening Administrative Credentials: Ensure that all administrative accounts use strong, unique passwords. Weak passwords are a common entry point for attackers, and using complex passwords can significantly reduce the risk of unauthorized access. Consider implementing multi-factor authentication (MFA) for an additional layer of security.
3. File Integrity Monitoring: Implement file integrity monitoring (FIM) to detect unauthorized changes to website files promptly. FIM tools can alert you to any modifications, allowing you to respond quickly to potential compromises. Regularly review and analyze these alerts to ensure the integrity of your website’s files.
4. Web Application Firewall (WAF): Deploy a web application firewall (WAF) configured to block malicious traffic and defend against hacking attempts targeting e-commerce sites. A WAF can filter out malicious requests and protect your website from various types of attacks, including SQL injection, cross-site scripting (XSS), and DDoS attacks.
5. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and remediate potential security gaps proactively. Security audits can help you uncover weaknesses in your website’s infrastructure and take corrective actions before attackers can exploit them.
6. Educating Staff: Educate website administrators and staff about phishing tactics and malware threats. Awareness training can help your team recognize and avoid common threats, such as phishing emails and malicious links.