
CS Pharmaceuticals snaps up AxeroVision to shore up ophthalmology portfolio
May 26, 2023Genetic risk, adherence to healthy lifestyle and acute cardiovascular and thromboembolic complications following SARS
Feb 03, 2024Erika Jayne denies Ozempic use, credits menopause for weight loss
Apr 02, 2024Browning Named to Watch Lists at Punter and Kicker
Jul 29, 2023How to Build a Successful API Strategy
Jul 23, 2023Carding tool abusing WooCommerce API downloaded 34K times on PyPI
A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.
The script specifically targeted WooCommerce stores using the CyberSource payment gateway to validate cards, which is a key step for carding actors who need to evaluate thousands of stolen cards from dark web dumps and leaked databases to determine their value and potential exploitation.
Although the package has been removed from PyPI, its high download counts show the sheer volume of abuse for these types of malicious operations.
"Unlike typical supply chain attacks that rely on deception or typosquatting, disgrasya made no attempt to appear legitimate," explains a report by Socket researchers.
"It was openly malicious, abusing PyPI as a distribution channel to reach a wider audience of fraudsters."
Of particular interest is the brazen abuse of PyPi to host a package that the creators clearly stated in the description was used for malicious activity.
"A utility for checking credit cards through multiple gateways using multi-threading and proxies," read the disgrasya package description.
Socket notes that the malicious functionality on the package was introduced in version 7.36.9, likely an attempt to evade detection by security checks that might be stricter for initial submissions compared to subsequent updates.
The malicious package contains a Python script that visits legitimate WooCommerce sites, collects product IDs, and then adds items to the cart by invoking the store's backend.
Next, it navigates to the site's checkout page from where it steals the CSRF token and a capture context, which is a code snippet CyberSource users to process card data securely.
Socket says these two are normally hidden on the page and expire quickly, but the script grabs them instantly while populating the checkout form with made-up customer info.
In the next step, instead of sending the stolen card directly to the payment gateway, it sends it to a server controlled by the attacker (railgunmisaka.com), which pretends to be CyberSource and gives back a fake token for the card.
Finally, the order with the tokenized card is submitted on the webshop, and if it goes through, it verifies that the card is valid. If it fails, it logs the error and tries the next card.
Using a tool like this, the threat actors are able to perform the validation of a large volume of stolen credit cards in an automated manner.
These verified cards can then be abused to conduct financial fraud or sold on cybercrime marketplaces.
Socket comments that this end-to-end checkout emulation process is particularly hard for fraud detection systems to detect on the targeted websites.
"This entire workflow—from harvesting product IDs and checkout tokens, to sending stolen card data to a malicious third party, and simulating a full checkout flow—is highly targeted and methodical," says Socket.
"It is designed to blend into normal traffic patterns, making detection incredibly difficult for traditional fraud detection systems."
Still, Socket says there are methods to mitigate the problem, like blocking very low-value orders under $5, which are typically used in carding attacks, monitoring for multiple small orders that have unusually high failure rates, or high checkout volumes linked to a single IP address or region.
Socket also suggests adding CAPTCHA steps on the checkout flow that may interrupt the operation of carding scripts, as well as applying rate limiting on checkout and payment endpoints.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Ethereum private key stealer on PyPI downloaded over 1,000 times
PyPi package with 100K installs pirated music from Deezer for years
Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks
Infostealer campaign compromises 10 npm packages, targets devs
New npm attack poisons local packages with backdoors
POST request sending the card data outsidePrinted transaction results
