New Magecart Attack Steals Credit Card Data from Website Checkout Pages

Cybersecurity researchers have uncovered a sophisticated Magecart campaign that has been actively stealing credit card data from e-commerce websites since January 2022, targeting major payment networks including American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay.

Attack Methodology

The campaign injects malicious JavaScript into legitimate e-commerce checkout pages, creating fake payment forms that appear identical to legitimate Stripe payment interfaces.

When shoppers enter their payment details, the skimmer intercepts and steals the data before it reaches the actual payment processor.

The malicious code, hosted on domains like cdn-cookie[.]com, uses advanced obfuscation techniques including string concatenation, base64 encoding, and XOR encryption with a hardcoded key of “777” to evade detection.

The skimmer specifically targets WooCommerce websites using the Stripe payment gateway. It creates a malicious iframe that replaces the legitimate payment form, complete with brand-specific card formatting and validation features.

The fake form supports automatic card brand detection, displaying appropriate logos for Mastercard, American Express, JCB, Diners Club, Discover, and UnionPay to enhance legitimacy.

After victims submit their payment information, the skimmer exfiltrates the data to Lasorie.com/api/add before clearing itself and restoring the legitimate form, often causing a payment error that tricks users into re-entering their credentials.

The campaign has compromised numerous e-commerce stores across different countries and infrastructure providers, affecting online shoppers, e-commerce businesses, and payment providers.

The threat actors demonstrate advanced knowledge of WordPress and WooCommerce internals, exploiting the wp_enqueue_scripts functionality to inject malicious code while evading administrator detection by checking for the WordPress Admin Bar and removing themselves when administrative users are present.

Website administrators should implement Content Security Policies (CSP) to restrict external JavaScript loading, maintain PCI DSS compliance, regularly update CMS platforms and plugins, enforce strong access controls with multi-factor authentication, and periodically test checkout pages from non-administrative perspectives.

Silent Push research highlights that suspicious checkout behavior, such as error messages after payment submission, can signal potential fraud.

Security researchers attribute several related domains to Magecart activity dating back over three years, demonstrating the campaign’s persistence and sophistication.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post New Magecart Attack Steals Credit Card Data from Website Checkout Pages appeared first on Cyber Security News.