Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages
#Security

Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages

Security Reporter
5 min read

A sophisticated web skimming campaign active since January 2022 is targeting major payment networks and their enterprise clients, using advanced evasion techniques to harvest credit card data from compromised checkout pages.

A major web skimming campaign has been operating undetected since January 2022, targeting the checkout pages of e-commerce sites that process payments through major networks including American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay. According to cybersecurity researchers at Silent Push, enterprise organizations that are clients of these payment providers face the highest risk of compromise.

Featured image

Understanding Digital Skimming and Magecart Attacks

Digital skimming represents a client-side attack category where threat actors compromise legitimate e-commerce sites and payment portals to inject malicious JavaScript code. This code stealthily harvests credit card information and personal data when users attempt to complete purchases. These attacks fall under the broader Magecart umbrella term, which originally described a coalition of cybercriminal groups targeting Magento-based stores but has since expanded to affect various e-commerce platforms and payment processors.

The campaign's infrastructure centers around the domain cdn-cookie[.]com, which hosts highly obfuscated JavaScript payloads such as recorder.js and tab-gtm.js. Attackers have designed these scripts to blend in with legitimate analytics and tracking code, making detection by site administrators extremely difficult.

Advanced Evasion Techniques

What sets this campaign apart is its sophisticated evasion mechanisms that demonstrate deep knowledge of WordPress architecture and modern web application behavior.

Administrator Detection

The skimmer actively scans the Document Object Model (DOM) tree for the presence of an element named wpadminbar. This toolbar appears in WordPress websites when logged-in administrators or authorized users view the site. If detected, the skimmer immediately initiates a self-destruct sequence, removing all traces of its presence from the webpage. This behavior repeats every time the DOM is modified, which occurs naturally during user interactions with the page.

Payment Form Manipulation

The malware performs additional checks to determine if Stripe is selected as the payment method. It searches the browser's localStorage for an element called wc_cart_hash and creates it with a value of "true" if the victim has already been skimmed. If this flag is absent, the skimmer executes a sophisticated form replacement attack:

  1. It hides the legitimate Stripe payment form
  2. Renders a convincing fake payment form in its place
  3. Captures credit card numbers, expiration dates, and CVC codes
  4. Displays an error message after submission, making victims believe they entered incorrect information

This approach serves a dual purpose: it maximizes data collection while reducing the likelihood that victims will immediately report the incident.

Data Exfiltration and Cleanup

The skimmer collects comprehensive victim information including:

  • Credit card numbers
  • Expiration dates and CVC codes
  • Names and contact information
  • Email addresses
  • Shipping addresses

Data is transmitted via HTTP POST requests to lasorie[.]com. After successful exfiltration, the skimmer removes the fake payment form, restores the legitimate Stripe interface, and sets the wc_cart_hash flag to prevent re-infection of the same victim.

Infrastructure and Attribution

Silent Push researchers discovered this campaign while analyzing domains linked to Stark Industries, a bulletproof hosting provider that has been sanctioned and subsequently rebranded to THE[.]Hosting under Dutch entity WorkTitans B.V. This rebranding appears to be a sanctions evasion tactic.

Practical Defense Measures

For Site Administrators

Implement Content Security Policy (CSP): Configure strict CSP headers that only allow scripts from trusted domains. This prevents unauthorized external scripts from loading, even if attackers manage to inject malicious code.

Monitor DOM Changes: Use browser-based monitoring tools to detect unauthorized modifications to payment forms. Solutions like Subresource Integrity can ensure loaded resources haven't been tampered with.

Regular Security Audits: Conduct frequent scans of your checkout pages, particularly examining:

  • External script sources
  • DOM modifications
  • localStorage changes
  • Network requests to unknown domains

WordPress-Specific Hardening:

  • Disable admin bar for non-administrative users when possible
  • Implement file integrity monitoring for core WordPress files
  • Use security plugins that detect JavaScript injection attempts
  • Keep WordPress core, themes, and plugins updated

For Payment Processors

Enhanced Form Security:

  • Implement frame-busting scripts to prevent clickjacking
  • Use cryptographic signatures for payment forms
  • Deploy bot detection to identify automated scraping attempts
  • Monitor for form replacement attacks in real-time

Customer Education:

  • Provide clear visual indicators of legitimate payment pages
  • Educate customers to verify URL patterns before entering sensitive data
  • Offer payment verification methods like two-factor authentication for transactions

For Security Teams

Detection Strategies:

  • Monitor for unexpected HTTP POST requests to unknown domains
  • Set up alerts for localStorage modifications on checkout pages
  • Track DOM changes that affect payment form elements
  • Implement honeypot payment forms to detect skimming attempts

Incident Response:

  • Develop procedures for rapidly removing malicious JavaScript
  • Establish communication protocols with payment processors
  • Prepare customer notification templates for potential data breaches
  • Document forensic evidence for law enforcement

Broader Implications

This campaign highlights the evolving sophistication of client-side attacks. Traditional server-side security measures like firewalls and intrusion detection systems cannot prevent these attacks because the malicious code executes in the victim's browser after the legitimate page loads.

The use of bulletproof hosting providers and rebranding tactics to evade sanctions demonstrates how cybercriminal operations adapt to law enforcement pressure. The campaign's longevity—spanning nearly four years—suggests that current detection methods are insufficient for identifying advanced skimming operations.

Organizations must shift toward a defense-in-depth approach that includes client-side monitoring, behavioral analysis, and real-time threat detection. The integration of WordPress-specific knowledge into the attack chain indicates that threat actors are investing significant resources into understanding their targets' infrastructure.

Moving Forward

The discovery of this campaign serves as a critical reminder that payment security extends beyond server infrastructure. Every organization processing online payments must assume they could be targeted and implement comprehensive monitoring of both server-side and client-side components of their checkout process.

Regular security assessments should include automated testing of payment flows, manual review of JavaScript sources, and continuous monitoring of network requests originating from checkout pages. As attackers continue to refine their techniques, the security community must respond with equally sophisticated detection and prevention mechanisms.

#web skimming#Magecart#WordPress#payment security#client-side attacks

Comments

Loading comments...
Back to Home