And now a word from our technical side…
Phishing Attacks on E-commerce sites
A phishing attack by definition is an attempt at a user’s sensitive information such as login credentials or bank account information by methods of masquerading as a trustworthy company or site.
Phishing attacks can come in many different forms. Some of the more common forms of attacks usually come through email, including a fake email that redirects you to a malicious site that may look like a legitimate site such as a PayPal login screen. The attacker usually uses some kind of scare tactic, such as an email that tries to scare the user into thinking their is an issue with their account like a bank overdraft or something similar.
Now many security researchers and experts such as Scururi are seeing fake checkout pages of legitimate e-commerce sites. You may be asking, how are the hackers doing this? They are first searching for known vulnerabilities within the e-commerce site (maybe out-of-date plugins or core files such as out-of-date WordPress install) and then finding the template file or checkout page form and injecting code that redirects the user to a different checkout page.
If you have a plugin that keeps a 404 error log such as All In One WordPress Security and Firewall Plugin and you see some URLs trying to be visited such as /wp-content/plugins/category-grid-view-gallery/cat_grid.php or /wp-content/plugins/magic-fields/MF_Constant.php, those could be some examples of a malicious user trying to find vulnerable plugins installed in your site. If this malicious user does find a known vulnerable plugin and is able to get control of files on your website they may inject code into these checkout templates. For example, Scururi was seeing a common infected file on a WordPress install that had WooCommerce installed on their site (wp-content/plugins/woocommerce/templates/checkout/form-checkout.php). The injected code could be as simple as the below.
The malicious checkout page then redirects the user to this malicious checkout page that just submits either the user’s credit card information or is a fake PayPal login form that submits their login information to the hacker. If the attack is a well thought out attack, the checkout page usually will either look exactly like the sites old checkout page. Or if the user clicked on a PayPal button it redirects them to a fake PayPal login page that looks identical to PayPal’s login page.
It is reported that many of the site owners are not catching that their checkout process is being redirected because they rarely test going through an entire checkout process of their own site.
As a website owner
If you see a dramatic loss of orders being processed through your site, start by going through the checkout process to make sure your site isn’t compromised and redirecting users to a different site. If you notice the checkout page is being redirected or any other odd behavior, immediately reach out to a website security professional to start a thorough security analysis of your site.
Furthermore, if you do own an e-commerce store it is still a good idea to reach out to a website security professional to see what types of security measures you should take into account while conducting business online. As the most basic way of protecting yourself, make sure your WordPress install is always up to date as well as all plugins.
As a website user
First thing to remember is to always keep an eye on the URL and if it is changing or not. Make sure the checkout pages are using HTTPS with a valid trusted server certificate. If you are being redirected, contact the site owner and ask them if that is the desired functionality of the site. If you come across anything that strikes you as odd, immediately close the page and contact the site owner or just stop using the online store. E-commerce sites are constantly being targeted to steal users credit card and banking information.
If you have a WordPress website, Red Technologies can help keep your site protected. To learn more about the WordPress Security & Maintenance Services that Red Technologies provides, visit https://redtechnologiesinc.com/what-we-do or give us a call at 612-310-7972.
Disclaimer: We are not certified security experts. We are giving a high-level overview about web and file security so that you can be more informed about some of the most common security vulnerabilities to look out for when developing or finding a developer. We will also be sharing some resources to help you continue your research on web security.