Cybersecurity researchers have uncovered a new wave of credit card skimmers targeting WordPress e-commerce sites. This campaign injects malicious JavaScript into the wp_options table of the WordPress database, making it difficult to detect with traditional scanning tools.
How the Skimmer Works
- Database Injection: The skimmer code is injected into the wp_options table disguised as a widget block.
- Checkout Page Activation: The malicious code springs into action only on checkout pages.
- Fake Payment Form: The skimmer either hijacks existing payment fields or injects a fraudulent payment form that mimics legitimate processors like Stripe.
- Data Theft: The form captures credit card details, including numbers, expiration dates, CVV codes, and billing information. The stolen data is then encoded to evade detection and sent to attacker-controlled servers.
Campaign Similarities to Previous Attacks
This campaign shares similarities with a previous attack discovered by Sucuri in December 2024. That attack also used JavaScript to create fake payment forms or steal data from legitimate forms on checkout pages. However, the stolen data was obfuscated differently, using a combination of JSON encoding, XOR encryption, and Base64 encoding.
These recent discoveries highlight the evolving tactics of cybercriminals. E-commerce website owners should stay updated on the latest threats and implement robust security measures, including regular vulnerability scanning and database backups. Also users should be cautious about entering payment information on unfamiliar websites and look for signs of a secure connection (HTTPS).