Cybersecurity researchers have discovered a significant active web skimming campaign since January 2022, targeting prominent payment networks such as American Express, Mastercard, and others. This malicious activity falls within a category of attacks known as Magecart, which initially focused on sites using the Magento platform but has diversified its reach, now affecting various e-commerce portals.
Sophisticated Threat
The attack involves compromising legitimate e-commerce sites and injecting malicious JavaScript code that steals sensitive credit card information and other personal data during the checkout process. Researchers from Silent Push identified this campaign after analyzing a suspicious domain associated with a hosting provider known for its illicit activity, which has attempted to evade sanctions by changing its name.
The domain in question hosts highly obfuscated JavaScript payloads designed to facilitate credit card skimming. This skimmer has the ability to evade detection by site administrators, as it checks the structure of the Document Object Model for specific elements that indicate an administrator user is present. If it detects the presence of these elements, it initiates a self-destruction sequence to eliminate any trace of its code.
Additionally, the skimmer can manipulate payment forms. If it identifies that Stripe was selected as the payment method, the threat creates a fake form that deceives victims into entering their credit card information, which includes the CVC verification code and expiration dates. At the end of the process, the stolen data is sent to a designated server, putting users’ personal information at risk.
This sophisticated operation highlights the level of knowledge that attackers have about the features of WordPress, even integrating lesser-known functions into their attack chain, which raises serious concerns for companies managing online stores.