Cyber Security News

New Skimmer Malware Steals Credit Card Data From Checkout Pages

A JavaScript-based malware targeting Magento eCommerce websites has been identified, which is designed to skim payment card details and activates exclusively on checkout pages. 

The malware dynamically generates a fraudulent credit card form or directly extracts sensitive payment information, where the stolen data is encrypted and transmitted to a remote server. 

The attack vector involves both filesystem and database infiltration, and the malware employs sophisticated obfuscation techniques to evade detection.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Currently, eight websites are confirmed to be infected, with two associated domains already blacklisted by VirusTotal.

Details of malware

Upon investigation, it was discovered to be a malicious script that originated from the blacklisted domain “dynamicopenfonts.app” and was found on a Magento website. 

It was found embedded in two locations: within the “default.xml” file located under the Magento theme directory (./app/design/frontend/Magento/[Redacted]/Magento_Theme/layout/default.xml) and also referenced within the “core_config_data” database table. 

It is necessary to conduct additional research in order to locate and eliminate the malicious script completely, as this indicates the possibility of code injection

The malicious script, embedded within an XML file’s <referenceContainer> directive, targets web pages with “checkout” in the URL but excludes those containing “cart.” 

By loading just before the closing </body> tag, it is designed to activate under specific conditions, which likely indicates a potential credit card skimming attack, aiming to capture sensitive payment information from unsuspecting users during the checkout process.

Fake Credit Card Form Example

With the help of Magento APIs, the malicious script is able to extract sensitive credit card details from a checkout page and also collect additional user information. 

The collected data, including personal details and financial information, is then processed through a series of steps to obscure its content: first, it’s encoded as JSON, then XOR-encrypted with a specific key, and finally Base64-encoded for secure transmission.

Malware extracts and encrypts stolen payment details like credit card information from compromised online forms, which is then covertly transmitted to a remote server at hxxps://staticfonts[.]com using a beaconing technique. 

the encrypted data is Base64-encoded to ensure safe transmission

According to Sucuri, beaconing involves a script silently sending data from the user’s device to the server without interrupting their activity, making it a stealthy method for exfiltrating stolen information. 

Magento checkout pages are vulnerable to sophisticated skimmers that inject fake forms or extract live input fields, stealing sensitive payment data.

To mitigate this risk, consistently update the site and apply security patches, or deploy a WAF for virtual patching. 

Regularly review and strengthen admin account passwords, implement file integrity monitoring to detect unauthorized changes, and deploy a robust WAF to block malicious traffic and prevent hacking attempts.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems across…

9 hours ago

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21 popular…

9 hours ago

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its focus…

9 hours ago

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu, has…

9 hours ago

Hackers Use Pahalgam Attack-Themed Decoys to Target Indian Government Officials

The Seqrite Labs APT team has uncovered a sophisticated cyber campaign by the Pakistan-linked Transparent…

9 hours ago

LUMMAC.V2 Stealer Uses ClickFix Technique to Deceive Users into Executing Malicious Commands

The LUMMAC.V2 infostealer malware, also known as Lumma or Lummastealer, has emerged as a significant…

9 hours ago