Cyber Security News

New Skimmer Malware Steals Credit Card Data From Checkout Pages

A JavaScript-based malware targeting Magento eCommerce websites has been identified, which is designed to skim payment card details and activates exclusively on checkout pages. 

The malware dynamically generates a fraudulent credit card form or directly extracts sensitive payment information, where the stolen data is encrypted and transmitted to a remote server. 

The attack vector involves both filesystem and database infiltration, and the malware employs sophisticated obfuscation techniques to evade detection.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Currently, eight websites are confirmed to be infected, with two associated domains already blacklisted by VirusTotal.

Details of malware

Upon investigation, it was discovered to be a malicious script that originated from the blacklisted domain “dynamicopenfonts.app” and was found on a Magento website. 

It was found embedded in two locations: within the “default.xml” file located under the Magento theme directory (./app/design/frontend/Magento/[Redacted]/Magento_Theme/layout/default.xml) and also referenced within the “core_config_data” database table. 

It is necessary to conduct additional research in order to locate and eliminate the malicious script completely, as this indicates the possibility of code injection

The malicious script, embedded within an XML file’s <referenceContainer> directive, targets web pages with “checkout” in the URL but excludes those containing “cart.” 

By loading just before the closing </body> tag, it is designed to activate under specific conditions, which likely indicates a potential credit card skimming attack, aiming to capture sensitive payment information from unsuspecting users during the checkout process.

Fake Credit Card Form Example

With the help of Magento APIs, the malicious script is able to extract sensitive credit card details from a checkout page and also collect additional user information. 

The collected data, including personal details and financial information, is then processed through a series of steps to obscure its content: first, it’s encoded as JSON, then XOR-encrypted with a specific key, and finally Base64-encoded for secure transmission.

Malware extracts and encrypts stolen payment details like credit card information from compromised online forms, which is then covertly transmitted to a remote server at hxxps://staticfonts[.]com using a beaconing technique. 

the encrypted data is Base64-encoded to ensure safe transmission

According to Sucuri, beaconing involves a script silently sending data from the user’s device to the server without interrupting their activity, making it a stealthy method for exfiltrating stolen information. 

Magento checkout pages are vulnerable to sophisticated skimmers that inject fake forms or extract live input fields, stealing sensitive payment data.

To mitigate this risk, consistently update the site and apply security patches, or deploy a WAF for virtual patching. 

Regularly review and strengthen admin account passwords, implement file integrity monitoring to detect unauthorized changes, and deploy a robust WAF to block malicious traffic and prevent hacking attempts.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Russian Hacker Indicted Over $24 Million Qakbot Ransomware Operation

The U.S. Department of Justice has unsealed a federal indictment against Rustam Rafailevich Gallyamov, 48,…

18 minutes ago

Fortinet Zero-Day Under Attack: PoC Now Publicly Available

FortiGuard Labs released an urgent advisory detailing a critical vulnerability, CVE-2025-32756, affecting several Fortinet products,…

44 minutes ago

Global Crackdown Nets 270 Dark Web Vendors in Major Arrests

A sweeping international crackdown, codenamed Operation RapTor, has dealt a significant blow to the criminal…

2 hours ago

CISA Alerts on Threat Actors Targeting Commvault Azure App to Steal Secrets

On May 22, 2025, Commvault, a leading enterprise data backup provider, issued an urgent advisory…

2 hours ago

CefSharp Enumeration Tool Identifies Critical Security Issues in .NET Desktop Applications

Cybersecurity researchers and red teamers, a newly released tool named CefEnum is shedding light on…

14 hours ago

Russian Hackers Exploit Oracle Cloud Infrastructure to Target Scaleway Object Storage

Russian threat actors have been leveraging trusted cloud infrastructure platforms like Oracle Cloud Infrastructure (OCI)…

14 hours ago