{
  "name": "Stealthy Credit Card Skimmer Targets WordPress Checkout Pages via Database Injection",
  "slug": "stealthy-credit-card-skimmer-targets-wordpress-checkout-pages-via-database-injection",
  "description": "A sophisticated credit card skimmer malware has been discovered targeting WordPress websites. The malware injects malicious JavaScript into database entries, specifically in the wp_options table, to steal sensitive payment details from checkout pages. It activates only on checkout pages, either hijacking existing payment fields or injecting a fake credit card form. The malware uses Base64 encoding and AES-CBC encryption to obfuscate stolen data before sending it to attacker-controlled servers. This stealthy approach allows the malware to persist undetected on compromised sites, avoiding common file-scanning tools. The attack demonstrates the evolving techniques used by attackers to target sensitive checkout processes in WordPress environments.",
  "published": "2025-01-10T00:21:39+00:00",
  "created_at": "2025-01-10T00:21:39+00:00",
  "modified_at": "2025-01-10T07:41:38+00:00",
  "created_at_opencti": "2025-01-10T00:21:39+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-01-10",
    "credit card skimmer",
    "database injection",
    "ecommerce",
    "wordpress"
  ],
  "related_entities": {
    "attack_patterns": [
      {
        "id": "e263a16c-ab5b-4196-8194-1906be1fabc4",
        "name": "T1056.003"
      },
      {
        "id": "88fd8eb3-cc2d-4ff0-92ff-d047dafc7855",
        "name": "T1592.002"
      },
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e",
        "name": "T1185"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Retail"
      },
      {
        "id": "",
        "name": "Finance"
      }
    ]
  },
  "external_refs": [
    "https://blog.sucuri.net/2025/01/stealthy-credit-card-skimmer-targets-wordpress-checkout-pages-via-database-injection.html",
    "https://otx.alienvault.com/pulse/678076232ea22da4b1eb9d0c"
  ]
}