Researchers at the cybersecurity firm Sucuri have uncovered a new set of e-skimming attacks targeting websites using the WordPress WooCommerce e-commerce plugin.

E-skimming attacks typically use injected code on websites to intercept customer data as it is being entered by customers. This allows hackers to bypass otherwise secure encryption and steal credit card and personal information. 

The best-known e-skimming campaigns have been associated with Magecart, a group or groups of hackers who have primarily targeted sites running the Magento e-commerce platform in the past, including Macy’s, British Airways, and Forbes Magazine. 

The recently discovered targeting of WooCommerce is noteworthy due to the plugin’s dominant market share: 26% of all e-commerce websites are currently running the plugin, compared to Magento’s 12% share. Any newly discovered vulnerabilities are likely to impact a wider number of sites.

Equally noteworthy is the method used by the e-skimming malware. Rather than injecting code via outdated or insecure plugins or modules, the WooCommerce malware is included in its target website’s core files. 

“The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect,” said Sucuri researcher Ben Martin in a blog announcing the company’s findings.

“This case is a perfect example of why both file integrity monitoring and regularly checking the integrity of your core files is crucial to maintaining a healthy, secure website,” said Martin.