The Socket research team uncovered a malicious Python package named disgrasya on PyPI, designed to automate carding attacks against WooCommerce stores using CyberSource as a payment gateway. This openly malicious tool facilitates the testing of stolen credit card numbers, allowing low-skilled fraudsters to simulate transactions without raising fraud detection alarms. Affected: PyPI, WooCommerce, CyberSource
Keypoints :
- Discovery of the disgrasya package, which automates carding attacks specifically targeting WooCommerce stores.
- This package was downloaded over 34,860 times, highlighting its popularity among fraudsters.
- The carding script performs automated tests using stolen credit card data without appearing to be nefarious.
- Carding attacks exploit weaknesses in online payment systems, estimating global losses of 2 billion by 2028.
- Mitigation measures for merchants include implementing fraud protection and monitoring unusual transaction patterns.
MITRE Techniques :
- Initial Access β T1195.002 β Supply Chain Compromise: Compromise Software Dependency β disgrasya was uploaded to PyPI for distribution.
- Credential Access β T1056 β Input Capture / Credential Collection β The script collects credit card information during transactions.
- Collection β T1213 β Data from Information Repositories (Web App Tokens) β It gathers tokens like CSRF nonce and capture_context from the WooCommerce checkout page.
- Command and Control β T1071.001 β Application Layer Protocol: Web Protocols (HTTPS) β Data exfiltration occurs over secure HTTPS connections to the attackerβs server.
- Defense Evasion β T1027 β Obfuscated Files or Information β The malicious operations are embedded in a seemingly valid library.
- Execution β T1204.002 β User Execution: Malicious Script Execution β The carding script executes user simulation workflows typical of normal transactions.
- Exfiltration β T1041 β Exfiltration Over C2 Channel β Credit card data is sent to an external server for the attacker to analyze.
- Impact β T1657 β Theft of Money / Fraudulent Transactions β Successful tests define which stolen cards can be used for fraudulent purchases.
Indicator of Compromise :
- [Malicious Domain] railgunmisaka[.]com
- [URL] hxxps://www[.]railgunmisaka[.]com/cybersourceFlexV2
- [Package Name] disgrasya
- [Malicious Versions] 7.36.9 and above
Full Story: https://socket.dev/blog/malicious-pypi-package-targets-woocommerce-stores-with-automated-carding-attacks