Threat Research

Inside a WooCommerce Payment Skimmer: How Carders Moved From Phishing Pages to Checkout Backdoors

CloudSek
Inside a WooCommerce Payment Skimmer: How Carders Moved From Phishing Pages to Checkout Backdoors
CloudSEK describes a WooCommerce Payments (Stripe) checkout skimmer that overlays a fake payment form, validates card entries in real time, and silently harvests card data and email from genuine purchases. The report shows how operators moving through carding marketplaces like Savastan0, Cvvhub, Jerrys, Zillion, Proton, VClub, and Pepe have shifted from phishing pages to direct compromise of legitimate e-commerce sites. #WooCommerce #WooCommercePayments #Stripe #Savastan0 #Cvvhub #Jerrys #Zillion #Proton #VClub #Pepe

Keypoints

  • The article analyzes a heavily obfuscated client-side skimmer recovered from a compromised WooCommerce store using WooCommerce Payments (Stripe).
  • Attackers are shifting from fake phishing pages to direct checkout compromise on real e-commerce sites, following a Magecart-style model.
  • The skimmer impersonates the Stripe payment element by injecting a first-party overlay form with fields for card number, expiry, and CVV.
  • It performs real-time validation using card brand detection, Luhn checks, and expiry validation to avoid suspicion during checkout.
  • The script hides its activity with obfuscation, misleading localStorage keys, and an analytics opt-out flag such as ga-disable-G-3SDSS99J4N.
  • Captured records include PAN, expiry, CVV, and customer email, which are encoded and sent to an attacker-controlled endpoint.
  • CloudSEK links the broader tradecraft to carding marketplaces and forums where fresh validated card data is monetized.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Initial access was gained by compromising the store through a vulnerable plugin/theme, exposed credentials, or a CMS weakness (‘most commonly via a vulnerable or outdated plugin/theme, exposed admin credentials, or a known CMS vulnerability’).
  • [T1505.003] Server Software Component: Web Shell – The actor used a web shell to persist and place malicious code on the checkout page (‘Using the web shell, the actor plants a backdoor and positions code so that it executes on the checkout page’).
  • [T1059.007] JavaScript – The skimmer is executed as obfuscated client-side JavaScript in the browser (‘File role Client-side skimmer / exfiltration (“sender”) component’, ‘Obfuscated JavaScript’).
  • [T1027] Obfuscated Files or Information – The code uses string-array rotation and custom encoding to hide meaningful identifiers and payloads (‘Every meaningful identifier… is referenced through this lookup rather than appearing as plain text’, ‘Base64 plus URL escape/unescape and a per-character string-reversal helper’).
  • [T1562] Impair Defenses: Disable or Modify Tools – The script sets a Google Analytics opt-out flag to suppress telemetry and reduce visibility (‘It sets a Google Analytics opt-out flag (ga-disable-G-3SDSS99J4N), suppressing GA collection’).
  • [T1056.003] Input Capture: Web Portal Capture – The skimmer overlays a fake payment form and captures card details typed into first-party DOM fields (‘places it over or in line with the genuine payment area’, ‘the data typed into them is fully readable by the attacker’s script’).
  • [T1119] Automated Collection – The script automatically collects card data and email during checkout (‘Once a card passes the skimmer’s own validation, the script also pulls the customer email from the checkout’).
  • [T1567] Exfiltration Over Web Service – Encoded stolen data is sent to an attacker-controlled endpoint over the web (‘transmitted to an attacker-controlled collection endpoint’, ‘transmitted to an attacker-controlled collection endpoint’).

Indicators of Compromise

  • [File names / script components] Checkout skimmer component and YARA target strings – sender.js, numberInput_sb, expiryInput_sb, codeInput_sb
  • [DOM elements] Rogue checkout overlay near Stripe/WooCommerce Payments – wcpay-payment-element, StripeElement, and duplicate first-party inputs with an _sb suffix
  • [Browser storage keys] Suspicious localStorage artifacts mimicking analytics/pixel data – fbpixel_-style prefix, victim-deduplication marker key
  • [Analytics flags] Unexplained telemetry suppression on checkout pages – ga-disable-G-3SDSS99J4N, ga-disable-G-XXXXXXXXXX
  • [Network indicators] Outbound encoded requests from checkout to non-processor hosts – attacker-controlled collection endpoint, long encoded query strings / beacon payloads
  • [Script traits] Heavily obfuscated JavaScript with custom decoding layers – rotated string-array loader, Base64 + escape + reverse decoder

Read more: https://www.cloudsek.com/blog/woocommerce-payment-skimmer-card-data-theft-checkout-backdoor

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint