Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages

The Hacker News by The Hacker News
January 13, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Jan 13, 2026Ravie Lakshmanan Web Security / Data Theft

Cybersecurity researchers have discovered a major web skimming campaign that has been active since January 2022, targeting several major payment networks like American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay.

“Enterprise organizations that are clients of these payment providers are the most likely to be impacted,” Silent Push said in a report published today.

Digital skimming attacks refer to a category of client-side attacks in which bad actors compromise legitimate e-commerce sites and payment portals to inject malicious JavaScript code that’s capable of stealthily harvesting credit card information and other personal information when unsuspecting users attempt to make a payment on checkout pages.

These attacks are classified under an umbrella term called Magecart, which initially referred to a coalition of cybercriminal groups that targeted e-commerce sites using the Magento software, before diversifying to other products and platforms.

Cybersecurity

Silent Push said it discovered the campaign after analyzing a suspicious domain linked to a now-sanctioned bulletproof hosting provider Stark Industries (and its parent company PQ.Hosting), which has since rebranded to THE[.]Hosting, under the control of the Dutch entity WorkTitans B.V., is a sanctions evasion measure.

The domain in question, cdn-cookie[.]com, has been found to host highly obfuscated JavaScript payloads (e.g., “recorder.js” or “tab-gtm.js”) that are loaded by web shops to facilitate credit card skimming.

The skimmer comes with features to evade detection by site administrators. Specifically, it checks the Document Object Model (DOM) tree for an element named “wpadminbar,” a reference to a toolbar that appears in WordPress websites when logged-in administrators or users with appropriate permissions are viewing the site.

In the event the “wpadminbar” element is present, the skimmer initiates a self-destruct sequence and removes its own presence from the web page. An attempt to execute the skimmer is made every time the web page’s DOM is modified, a standard behavior that occurs when users interact with the page.

That’s not all. The skimmer also checks to see if Stripe was selected as a payment option, and if so, there exists an element called “wc_cart_hash” in the browser’s localStorage, which it creates and sets to “true” to indicate that the victim has already been successfully skimmed.

The absence of this flag causes the skimmer to render a fake Stripe payment form that replaces the legitimate form through user interface manipulations, thereby tricking the victims into entering their credit card numbers, along with the expiration dates and Card Verification Code (CVC) numbers.

“As the victim entered their credit card details into a fake form instead of the real Stripe payment form, which was initially hidden by the skimmer when they initially filled it out, the payment page will display an error,” Silent Push said. “This makes it appear as if the victim had simply entered their payment details incorrectly.”

Cybersecurity

The data stolen by the skimmer extends beyond payment details to include names, phone numbers, email addresses, and shipping addresses. The information is eventually exfiltrated by means of an HTTP POST request to the server “lasorie[.]com.”

Once the data transmission is complete, the skimmer erases traces of itself from the checkout page, removing the fake payment form that was created and restoring the legitimate Stripe input form. It then sets “wc_cart_hash” to “true” to prevent the skimmer from being run a second time on the same victim.

“This attacker has advanced knowledge of WordPress’s inner workings and integrates even lesser-known features into their attack chain,” Silent Push said.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Net At Work Expands Its Midwestern US Presence With Latest Acquisition

Net At Work Expands Its Midwestern US Presence With Latest Acquisition

Recommended.

Greg Abel just made his first big deal as Berkshire CEO. Why Warren Buffett is happy

Greg Abel just made his first big deal as Berkshire CEO. Why Warren Buffett is happy

June 1, 2026
CAMBIUM NETWORKS PROVIDES FINANCIAL UPDATE

CAMBIUM NETWORKS PROVIDES FINANCIAL UPDATE

November 18, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio