Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer. A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information. According to Sucuri, the latest campaign entails making malicious modifications to the checkout PHP page associated with the WooCommerce plugin for WordPress ("form-checkout.php") to steal credit card details. "For the past few months, the injections have been changed to look less suspicious than a long obfuscated script," security researcher Ben Martin said, noting the malware's attempt to masquerade as Google Analytics and Google Tag Manager. Specifically, it employs the same substitution mechanism employed in Caesar cipher to encode the malicious piece of code into a garbled string and conceal the external domain that's used to host the payload. It's presumed that all the websites have been previously compromised through other means to stage a PHP script that goes by the names "style.css" and "css.php" in an apparent effort to mimic an HTML style sheet and evade detection. These scripts, in turn, are designed to load another obfuscated JavaScript code that creates a WebSocket and connects to another server to fetch the actual skimmer. "The script sends the URL of the current web pages, which allows the attackers to send customized responses for each infected site," Martin…Read More