Skip to content

Sophisticated web skimmer attack exploited e-commerce websites

  • by
  • 2 min read

Cybersecurity researchers have warned of a new ongoing Magecart-style web skimmer campaign that’s designed to steal personally identifiable information (PII) and credit card data from e-commerce websites such as WooCommerce, WordPress, and Shopify, showcasing the growing range of vulnerabilities in digital commerce platforms.

This particular campaign stands out by utilizing hijacked sites as ‘makeshift’ command-and-control (C2) servers, allowing the distribution of malicious code without the victim sites’ knowledge.

Akamai, a web security company, has identified victims of varying sizes in North America, Latin America, and Europe. This places the personal data of thousands of site visitors at risk of being harvested and sold for illicit gains. Attackers have employed various evasion techniques, including Base64 obfuscation and disguising the attack to resemble popular third-party services like Facebook Pixel or Google Tag Manager.

Additionally, JavaScript code snippets function as loaders to fetch the full attack code from the host victim’s website, minimizing the footprint and reducing the likelihood of detection.

The attacker’s strategy involves compromising vulnerable legitimate sites and using them to host web skimmer code, leveraging the reputable domains to their advantage. In some cases, the attackers have persisted for nearly a month, reported The Hacker News.

Data exfiltration using IMG tag. | Source: Akamai

The attacks yield two types of victims: legitimate sites compromised to act as malware distribution centres and vulnerable e-commerce websites targeted by the skimmers. Not only have these websites fallen victim to data theft, but they have unwittingly served as a means to spread the malware to other susceptible sites.

The obfuscated skimmer code, available in two different variants, intercepts and exfiltrates PII and credit card details as an encoded string via an HTTP request to a server controlled by the threat actors. Notably, the exfiltration occurs only once per user during the checkout process to avoid suspicious network traffic and increase the attack’s evasiveness.

In the News: Russia claims USA spied on its diplomats using iOS malware

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: