Webmasters Beware! WordPress Skimmers Exploit Database Tables to Steal Payment Information

Cybersecurity experts have uncovered a stealthy and sophisticated credit card skimming campaign targeting WordPress websites. By embedding malicious JavaScript into database tables, these skimmers bypass traditional detection methods to steal sensitive payment information. This alarming threat underscores the evolving tactics cybercriminals use to exploit e-commerce platforms.

How the Skimming Malware Operates

Webmasters should always be on the lookout for harmful JavaScript as this skimmer exploitation may be one that slips under the radar. The skimmers target WordPress e-commerce websites by injecting malicious JavaScript into the wp_options table under the option "widget_block." This method allows the malware to hide in plain sight, avoiding detection by most security tools. Once embedded, the malware takes advantage of WordPress's administrative interface to inject the harmful JavaScript into HTML block widgets.

Activation on Checkout Pages

The skimming script activates only on checkout pages, where it:

1. Hijacks Existing Payment Fields – Modifies legitimate fields to intercept payment data.
2. Injects Fake Credit Card Forms – Dynamically creates a payment form that mimics real processors like Stripe.

These fake forms capture sensitive details such as credit card numbers, CVVs, and billing information. Alternatively, the script can monitor legitimate payment forms, stealing data entered in real-time.

Obfuscation and Exfiltration

The stolen data is encoded and encrypted to resist detection:

• Base64 Encoding: Converts the data into a harmless-looking format.
• AES-CBC Encryption: Adds a layer of security to evade analysis.
• Data Transmission: Sends the encoded information to attacker-controlled servers such as valhafather[.]xyz or fqbe23[.]xyz.

A Broader Campaign of Deception

This attack follows similar skimming efforts, including one where JavaScript malware was used to dynamically create fake payment forms or extract data from legitimate checkout fields. In that instance, data was encrypted using JSON and XOR methods before being sent to a remote server.

Additional Attack Vectors

The sophistication of these campaigns extends beyond WordPress:

• PayPal Phishing Emails: Threat actors send emails from legitimate PayPal addresses to trick users into logging in and linking their accounts to attacker-controlled distribution lists.
• Cryptocurrency Wallet Exploits: Cybercriminals exploit Web3 wallet transaction simulation features to set up fake decentralized apps (DApps) and drain wallets during the execution phase.

Protecting Your Website and Customers

To safeguard WordPress e-commerce sites from these threats:

1. Regularly Audit Database Tables: Focus on the wp_options table and unknown entries.
2. Update and Patch WordPress: Ensure all plugins and themes are up-to-date to mitigate vulnerabilities.
3. Implement Web Application Firewalls (WAFs): Block malicious scripts before they reach your database.
4. Monitor for Anomalous Admin Panel Activity: Pay attention to changes in widgets and HTML blocks.
5. Educate Users: Warn customers about fake payment forms and the risks of phishing emails.

The evolution of credit card skimmers targeting WordPress websites highlights the importance of robust cybersecurity practices. By embedding malicious code directly into database tables, these campaigns are harder to detect and more effective at stealing sensitive data. Website owners must remain vigilant and proactive in securing their platforms to protect both their business and their customers from these increasingly sophisticated threats.