Silent Thieves at the Checkout Counter

Like professional thieves who know exactly when to strike and when to disappear, a long-running web skimming operation has been quietly stealing payment data from online checkout pages since January 2022. This campaign does not smash storefronts or exploit flashy zero-days. Instead, it blends into legitimate e-commerce workflows, injecting malicious JavaScript that waits patiently for customers to enter their card details. By the time victims realize something went wrong, the thieves are already gone — and the checkout page looks perfectly normal again.

Phase 1 — Selecting the Target 

The attackers focus on enterprise organizations connected to major global payment networks, including American Express, Mastercard, Discover, Diners Club, JCB, and UnionPay. Rather than attacking the payment providers directly, they compromise legitimate e-commerce websites and payment portals, many of them running WordPress-based storefronts, where checkout pages represent a high-value and high-trust moment.

By embedding themselves into trusted online shops, the threat actors gain access to a constant stream of real customers entering sensitive payment information, without needing to interact with victims directly.

Phase 2 — Slipping Into the Checkout 

Once access is achieved, the attackers inject highly obfuscated JavaScript skimmers (such as recorder.js or tab-gtm.js) into the checkout flow. These scripts are loaded from attacker-controlled infrastructure, notably domains such as cdn-cookie[.]com, which Silent Push linked to bulletproof hosting tied to Stark Industries / PQ.Hosting, later rebranded to evade sanctions.

The skimmer is engineered to avoid detection by site administrators. It continuously inspects the page’s DOM tree and looks for the presence of wpadminbar, an element that appears when WordPress administrators are logged in. If detected, the malicious code self-destructs, removing itself to stay hidden during maintenance or troubleshooting.

Phase 3 — The Theft at the Register 

When a real customer reaches checkout, the skimmer activates. If Stripe is selected as the payment method and the victim has not yet been marked as “skimmed,” the malware hides the legitimate Stripe form and replaces it with a fake one, visually identical to the real interface.

Victims unknowingly enter:

• Credit card numbers

• Expiration dates

• CVC codes

• Names, email addresses, phone numbers

• Shipping addresses

To maintain realism, the page later displays a payment error, making it appear as though the transaction simply failed due to a typo.

All captured data is exfiltrated via HTTP POST requests to attacker infrastructure such as lasorie[.]com. Immediately afterward, the skimmer restores the original checkout form, deletes its visible traces, and sets internal flags (e.g., wc_cart_hash) to ensure the same victim is not skimmed twice.

A defining trait of this campaign is how cleanly it exits. After exfiltration, the malicious code removes the fake payment form, reinstates the legitimate Stripe interface, and quietly disappears from the page. To both customers and site owners, the checkout appears to behave normally again.

This stealthy cleanup — combined with selective execution, DOM checks, and self-destruct logic — has allowed the operation to remain active for years without widespread detection, highlighting the attackers’ deep understanding of WordPress internals and payment workflows.

Measures to Defend Against Web Skimming Attacks

• Continuously monitor client-side scripts on checkout pages to detect unauthorized JavaScript injections or changes in third-party resources.

• Implement Subresource Integrity (SRI) to ensure that only trusted and unmodified JavaScript files are executed by the browser.

• Harden WordPress and e-commerce platforms by minimizing plugins, keeping themes and extensions updated, and restricting admin access.

• Deploy Content Security Policy (CSP) to limit where scripts can be loaded from and prevent malicious external domains from executing code.

• Regularly audit payment flows, especially when using embedded payment providers like Stripe, to detect UI manipulation or form replacement.

• Monitor for anomalous outbound traffic from checkout pages, such as unexpected HTTP POST requests to unknown domains.

• Use file integrity monitoring (FIM) to detect unauthorized modifications to web assets and templates.

• Restrict access to administrative interfaces and ensure administrators use MFA to reduce the risk of silent skimmer evasion via admin detection logic.

• Conduct periodic threat hunting focused on Magecart-style techniques, including DOM inspection and localStorage abuse.

• Coordinate with payment providers to ensure rapid detection, takedown, and incident response in case of card data exposure.

This long-running web skimming operation demonstrates that modern payment fraud no longer relies on noisy breaches or visible compromise. Instead, attackers exploit trust at the client side, embedding themselves into everyday transactions where vigilance is lowest.

The campaign shows how Magecart-style attacks have evolved: stealthier, more patient, and tightly integrated into legitimate platforms. For enterprises running e-commerce infrastructure, this is a reminder that securing servers is not enough — the checkout itself has become the crime scene. Without continuous monitoring of client-side behavior, script integrity, and payment flows, even well-maintained platforms can unknowingly serve as silent accomplices in large-scale financial theft.

The Hacker News

https://thehackernews.com/2026/01/long-running-web-skimming-campaign.html?m=1