A sophisticated credit card skimmer malware had been found hitting WordPress checkout pages, silently injecting malicious JavaScript into database records to obtain sensitive payment details.
Attackers may utilize existing payment fields or inject a fake credit card form to steal payment information covertly and undetected.
Targets WordPress Checkout Pages via Database Injection
Sucuri claims that the malicious code was inserted into the WordPress database within the wp_options table. The malware evades detection by popular file-scanning tools by inserting itself into the database instead of theme files or plugins. This enables it to continue covertly on WordPress websites that have been compromised.
Using the WordPress admin panel (wp-admin > widgets), the malicious JavaScript was discovered to have been injected into the HTML block widget.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The script first determines whether the page URL contains “checkout,” excluding “cart.” This implies that the malware does not begin until consumers are prepared to enter their payment information.
“It dynamically creates a fake payment form that mimics legitimate payment processors (e.g., Stripe). The form includes fields for credit card number, expiration date, CVV, and billing information”, researchers said.
“If a legitimate payment form is already on the page, the script captures data entered into these fields in real time.”.
This method ensures that users give the attacker their sensitive payment information without realizing it.
The malware combines AES-CBC encryption with Base64 encoding to conceal the stolen data. This makes the data appear harmless while in transit and makes analysis challenging.
After being encrypted, the stolen data is transmitted to a server under the control of the remote attacker. The information gathered is sent to domains such as valhafather[.]xyz and fqbe23[.]xyz.
To Remove The Malware
Examine Custom HTML Widgets
- Log into your WordPress admin panel.
- Navigate to wp-admin > Appearance > Widgets.
- Check all Custom HTML block widgets for suspicious or unfamiliar
In November 2024, researchers reported credit card skimmer malware targeting Magento-powered eCommerce websites.
The skimmer used sophisticated obfuscation techniques to evade detection of the infection, which was a combination of filesystem and database malware.
It is, therefore, advised that you deploy the most recent security updates and update your website on a regular basis. Alternatively, virtual patching can be implemented using a web application firewall (WAF).
To stop attackers from getting to your server, use Web Application Firewall, file integrity monitoring, and two-factor authentication.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!