Ddos 
The Wordfence Threat Intelligence Team has uncovered a new and deeply stealthy formjacking malware targeting WooCommerce, the widely-used e-commerce plugin for WordPress. Unlike typical skimmers that crudely overlay payment forms, this malware integrates seamlessly into the legitimate checkout process, exfiltrating sensitive customer data without raising suspicion.
“This malware injects a fake payment form into legitimate checkout processes and exfiltrates sensitive customer data to a remote Command & Control (C2) server,” the report explains.
What makes this formjacking campaign stand out is the professional formatting and deceptive simplicity of the script. According to Wordfence:
“It appears to be a standard JavaScript file that could be part of a legitimate theme or plugin… Nothing stands out visually that would immediately identify it as malicious.”
The malware inserts a fake but highly convincing payment form that mimics real checkout pages, including fields for card number, expiration date, CVV, and more—right down to an embedded SVG image of a generic credit card icon.
Rather than exfiltrating data immediately during form submission (a common indicator of compromise), the malware uses localStorage to silently collect and store cardholder data. This includes names, addresses, phone numbers, and even the browser’s user agent string.
“By storing captured payment card details and billing information in localStorage… the malware gains persistence, resilience, and anti-forensic capabilities.”
The theft is triggered upon pressing the “Place Order” button, when the script calls the navigator.sendBeacon() method:
This method transmits data asynchronously and silently, leaving no noticeable footprint in browser tools, log files, or network traffic—perfect for covert exfiltration.
The malware continuously monitors user input on checkout fields using multiple setInterval() calls, ensuring it captures data even if a purchase isn’t completed:
“This approach ensures that even if a customer fills out their information but doesn’t immediately complete the order, their data is still captured for later exfiltration.”
The infection vector appears to be through a compromised WordPress admin account, which was used to inject malicious JavaScript via a plugin like Simple Custom CSS and JS. Importantly, this plugin itself was not vulnerable—its capabilities were simply misused after an attacker gained access.
If you operate a WooCommerce site, you should immediately scan for these red flags:
- Use of
navigator.sendBeacon()to unfamiliar domains likesearchpixelstuff.top - Suspicious JavaScript behavior during checkout
- Presence of cached pages with injected scripts
- Unusual
localStorageactivity involving payment data - Multiple
setInterval()calls monitoring billing fields
Known malicious domains used in this campaign include:
- searchpixelstuff.top
- justmerikschill.top
- pinkmanpixel.top
- schoolmeriks.top
These domains are listed on the Spamhaus DBL and are actively involved in malware campaigns.
How to Protect Yourself and Your Customers
For website owners:
- Use the Wordfence Premium plugin or CLI scanner for real-time detection.
- Regularly audit admin access and restrict the use of custom JavaScript plugins.
- Use server-level file integrity monitoring to detect unauthorized changes.
For shoppers:
- Monitor for unusual checkout page behavior.
- Use privacy tools like uBlock Origin to inspect network activity.
- Prefer secure payment options like PayPal or virtual credit cards.
- Regularly check bank statements for unauthorized charges.
- Use incognito or dedicated browsers for sensitive transactions.
Related Posts:
- Hackers are Exploiting Critical Security Vulnerability in WooCommerce Payments Plugin
- Credit Card Skimmer Malware Uncovered: Targeting Magento Checkout Pages
- Hidden Skimmers, Web Whispers: New JavaScript Theft Tricks
- Cybercriminals Exploit Swap Files: New E-commerce Skimming Tactic
- Fake Font Domain Used in Credit Card Skimming Attack
Donate