A sophisticated web-skimming campaign targeting online shoppers has emerged with renewed intensity in 2026, compromising e-commerce websites and extracting sensitive payment information during checkout processes. <\/p>\n
The attack, identified as part of the broader Magecart family of threats, represents an evolving challenge to online retail security. <\/p>\n
Threat researchers have documented extensive infrastructure associated with this long-running campaign, which has operated since at least early 2022. <\/p>\n
The malicious network targets major payment providers including American Express, Diners Club, Discover, Mastercard, JCB, and UnionPay, potentially affecting millions of customers globally.<\/p>\n
The attack operates through JavaScript injection, where malicious code embeds itself into legitimate e-commerce websites without triggering obvious security alerts. <\/p>\n
Once injected, the code remains dormant until visitors reach the checkout page, at which point it initiates its credential-stealing payload. <\/p>\n
![\"Chronicling](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgeUowUmdTyj_Vu_xVnQdyLOSD_F7pJGgN35VBQ2ROgI0D9v5epg1o4qObQ8b-ybKrTrGs36QnLvQv5sI9pB5qVSUPtx_f-Wo5ZuF2ZPYdcdjtvJ0afK9DxG3akwN2xxMLksSUfNEfujamV8ewo6dK8k0cxGeCyW6wo9xVeA1Iv6_AIHXvlhJF7eRMlMoo\/s16000\/Chronicling%2520steps%2520in%2520the%2520web%2520skimmer%2520process%2520%28Source%2520-%2520Silent%2520Push%29.webp?ssl=1\")
The infrastructure relies on compromised domains and bulletproof hosting providers to maintain persistence and avoid detection. <\/p>\n
Silent Push analysts and researchers noted<\/a> that the attackers have advanced knowledge of WordPress internals, leveraging lesser-known features like wp_enqueue_scripts action hooks to integrate malicious scripts into the website rendering process.<\/p>\n The technical sophistication lies in how the malware creates a convincing facade during the payment process. <\/p>\n The skimmer establishes a MutationObserver to monitor<\/a> webpage changes in real-time, ensuring continuous monitoring of the payment form environment. <\/p>\n It then hides the legitimate Stripe payment form and injects a nearly identical fake<\/a> form that captures card numbers, expiration dates, CVV codes, and billing information. <\/p>\n The fake form includes brand detection logic that recognizes card types and displays corresponding brand images, reinforcing legitimacy to victims.<\/p>\n The data collection process captures more than payment details. The malware monitors every input field on the checkout page, harvesting names, addresses, and email information. <\/p>\n Once victims complete the form and click the Place Order button, the skimmer<\/a> compiles all collected data into a structured object, applies XOR encryption with a hardcoded key of 777, and encodes it in Base64 format. <\/p>\n The encrypted payload then transmits via HTTP POST request to exfiltration<\/a> servers located on compromised infrastructure.<\/p>\n The attack exploits user psychology by displaying payment errors after form submission, misleading victims into believing they entered incorrect information. <\/p>\n Unsuspecting customers typically re-enter credentials into the legitimate form, completing their purchase successfully while remaining unaware their data was already stolen. <\/p>\n This psychological manipulation dramatically increases attack success rates by avoiding suspicion. <\/p>\n The malware<\/a> includes evasion tactics that detect WordPress administrator status through the admin bar element and automatically disables itself when administrators view the site, significantly extending the campaign\u2019s operational lifespan. <\/p>\n Security researchers predict this multi-year threat will continue targeting vulnerable online stores throughout 2026.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Magecart Attack Steals Customers Credit Cards from Website Checkout Pages<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Malicious](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiIGHx8blTnpboZ0ZdDfo9kGPRyv-3zGDY6WBYnldgKYwcacjFEvGeskEo461OD5m8AM24Agh0uFLtLd8UOso4iQ4cgx9QeMoaKNjg1vYNl_dx5wn764aop5D89fu99ZLGCNoXrIfyfGZzj7xdZLU-UckvNq15wfxd_qwoThyzilplQs0kksln1W3R9Jyo\/s16000\/Malicious%2520file%2520callout%2520on%2520the%2520checkout%2520page%2520for%2520colunexshop%255B.%255Dcom%2520%28Source%2520-%2520Silent%2520Push%29.webp?ssl=1\")
Sophisticated Data Exfiltration Mechanism<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgffyZnEf6mXOWz__iuYy6CAepA53NljJkMo83hD_4FaLNAskIb3xwmdjbNi8sOHztRDgMprzRF7vKdLYpoKeW7ahUogowaapThqgplEJENpgXB0sZsWHiqxNW89p3GXi5gAVCf9XKflhOmFcCqqzUo9L6TLL0un5mPMSl5uUzYWEGQU6TShyRdT1GDUPs\/s16000\/Improper%2520use%2520of%2520code%2520results%2520in%2520a%2520visible%2520bug%2520on%2520the%2520infected%2520website%2520%28Source%2520-%2520Silent%2520Push%29.webp?ssl=1\")