WordPress users targeted by devious new credit card skimmer malware

News
By
published

Sucuri finds dangerous skimmer which activates on the checkout page

A person holding a credit card in one hand while typing on a laptop keyboard with the other.
(Image credit: Shutterstock / Kostenko Maxim)
  • Sucuri finds malicious code being embedded in WordPress sites
  • The code harvests and exfiltrates payment information from ecommerce websites
  • The researchers are warning WordPress site admins to inspect all custom code

Cybercriminals are once again targeting WordPress websites with credit card skimmers, stealing victim’s sensitive payment information in the process.

This time around, the company sounding the alarm is Sucuri, whose researcher Puja Srivastava recently published a new analysis into the attack, noting criminals are targeting WordPress ecommerce websites, inserting malicious JavaScript code into a database table associated with the content management system (CMS).

This script brings up the credit card skimmer just as the victim is about to enter the payment information.

Inspecting custom HTML widgets

"The malware activates specifically on checkout pages, either by hijacking existing payment fields or injecting a fake credit card form,” the researcher said.

The unnamed skimmer was built to steal all of the payment information necessary for internet transactions: credit card numbers, expiration dates, CVV numbers, and billing information.

Cybercriminals usually use stolen credit card information to fund malicious ad campaigns on social media platforms, purchase malware or malware-as-a-service (MaaS), or buy gift cards since these are difficult to trace.

Sucuri added the skimmer can also grab data entered on legitimate payment screens in real-time, thus maximizing compatibility.

All of the acquired information is encoded in Base64 and combined with AES-CBC encryption, to blend in with the regular traffic. After that, it is exfiltrated to a server under the attacker’s control (either "valhafather[.]xyz" or "fqbe23[.]xyz").

To remove the malware, Sucuri suggests inspecting all custom HTML widgets. That can be done by logging into the WordPress admin panel, navigating to wp-admin > Appearance > Widgets, and checking all Custom HTML block widgets for suspicious or unfamiliar tags. The researchers also suggested mitigation steps, which include regular updates, admin account management, file integrity monitoring, and running a web application firewall.

Skimmers seem to be rising in popularity again. Less than three weeks ago, the European Space Agency was found hosting this type of malicious code, which was stealing payment data, including sensitive credit card information, from countless victims.

Via The Hacker News

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
Google system abused by hackers to hijack ecommerce stores
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over 10,000 WordPress sites found showing fake Google browser update pages to spread malware
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
European Space Agency hack sees official store hijacked to steal customer details
Casio logo
Casio’s online store hit by bogus credit card stealing checkout form
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen
Latest in Security
China
Chinese hackers who targeted key US infrastructure charged by Justice Department
linkedin
Watch out - that LinkedIn email could be a fake, laden with malware
An American flag flying outside the US Capitol building against a blue sky
Mass federal layoffs will have “devastating impact on cybersecurity, former NSA cybersecurity director warns
A hand reaching out to touch a futuristic rendering of an AI processor.
North Korean fake job hackers are going the extra mile to make sure their scams seem legit
A hand reaching out to touch a futuristic rendering of an AI processor.
Google Cloud unveils new AI Protection security tools, no matter which model you use
A TV remote pointing at YouTube logo
YouTube warns of phishing video using its CEO as bait
Latest in News
Stock photographs of people smiling and looking at laptops in a small business environment.
This web hosting platform elevates your online presence
The Samsung Galaxy S25 Edge on display at Galaxy Unpacked
Exclusive: the Samsung Galaxy S25 Edge will have durability to match its ‘sexy’ form
Metaphor: ReFantazio
Sega was Metacritic's highest-rated publisher of 2024 thanks to the critically acclaimed Metaphor: ReFantazio and Like a Dragon: Infinite Wealth
AirPods Pro Review
Apple has quietly updated its guidance on how to clean your AirPods, and suggests you buy a kit… from Belkin
China
Chinese hackers who targeted key US infrastructure charged by Justice Department
A screen shot of Lady Gaga in her interview with Zane Lowe for Apple Music
Lady Gaga’s Spotify press conference is being live streamed today – here’s where you can watch Spotify’s big step forward in fan inclusion
More about security
linkedin

Watch out - that LinkedIn email could be a fake, laden with malware
China

Chinese hackers who targeted key US infrastructure charged by Justice Department
Xiaomi SU7

Xiaomi's EV is racing ahead of Tesla in China – and it's planning a global Model Y rival next
See more latest
Most Popular
Xiaomi SU7
Xiaomi's EV is racing ahead of Tesla in China – and it's planning a global Model Y rival next
Macrodock M1 docking station
This cute docking station has LCD macro keys and can even power an 8K monitor - but what nailed it are the rotary knobs
linkedin
Watch out - that LinkedIn email could be a fake, laden with malware
The Mound: Omen of Cthulhu
Ace Team announces The Mound: Omen of Cthulhu, a new first-person horror co-op coming to PS5, Xbox Series X, and PC this year
Styx: Blades of Greed
Styx the goblin returns in Styx: Blades of Greed later this year
Robocop: Rogue City
RoboCop: Rogue City's new standalone expansion Unfinished Business announced at Nacon Connect 2025
Cthulhu: The Cosmic Abyss
Cthulhu: The Cosmic Abyss is a new first-person thriller from the studio behind Vampire: The Masquerade - Swansong
RISC-V
Startup formed by former Intel engineers and backed by AMD legendary chip designer wants to become the Arm of RISC-V
The Samsung Galaxy S25 Edge on display at Galaxy Unpacked
Exclusive: the Samsung Galaxy S25 Edge will have durability to match its ‘sexy’ form
Stock photographs of people smiling and looking at laptops in a small business environment.
This web hosting platform elevates your online presence