"This entire workflow—from harvesting product IDs and checkout tokens, to sending stolen card data to a malicious third party, and simulating a full checkout flow—is highly targeted and methodical," says Socket. A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform. The script specifically targeted WooCommerce stores using the CyberSource payment gateway to validate cards, which is a key step for carding actors who need to evaluate thousands of stolen cards from dark web dumps and leaked databases to determine their value and potential exploitation. Still, Socket says there are methods to mitigate the problem, like blocking very low-value orders under $5, which are typically used in carding attacks, monitoring for multiple small orders that have unusually high failure rates, or high checkout volumes linked to a single IP address or region. Socket notes that the malicious functionality on the package was introduced in version 7.36.9, likely an attempt to evade detection by security checks that might be stricter for initial submissions compared to subsequent updates. Next, it navigates to the site's checkout page from where it steals the CSRF token and a capture context, which is a code snippet CyberSource users to process card data securely. The malicious package contains a Python script that visits legitimate WooCommerce sites, collects product IDs, and then adds items to the cart by invoking the store's backend. In the next step, instead of sending the stolen card directly to the payment gateway, it sends it to a server controlled by the attacker (railgunmisaka.com), which pretends to be CyberSource and gives back a fake token for the card. "A utility for checking credit cards through multiple gateways using multi-threading and proxies," read the disgrasya package description. Socket also suggests adding CAPTCHA steps on the checkout flow that may interrupt the operation of carding scripts, as well as applying rate limiting on checkout and payment endpoints. Socket says these two are normally hidden on the page and expire quickly, but the script grabs them instantly while populating the checkout form with made-up customer info. Although the package has been removed from PyPI, its high download counts show the sheer volume of abuse for these types of malicious operations. Socket comments that this end-to-end checkout emulation process is particularly hard for fraud detection systems to detect on the targeted websites. "Unlike typical supply chain attacks that rely on deception or typosquatting, disgrasya made no attempt to appear legitimate," explains a report by Socket researchers. Using a tool like this, the threat actors are able to perform the validation of a large volume of stolen credit cards in an automated manner.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 06 Apr 2025 15:00:13 +0000