In a technical analysis, Silent Push said a web skimming campaign has been active since January 2022 and has targeted payment networks including American Express, Mastercard, Discover, JCB, Diners Club and UnionPay.
KEY FACTS
- Incident Web skimming campaign injects obfuscated JavaScript into checkout pages
- Timeline Active since January 2022
- Targets Major payment networks and enterprise clients of those providers
- Exfiltration Stolen data posted to an external server
The campaign uses highly obfuscated JavaScript files hosted on a domain named cdn-cookie[.]com and delivered with filenames such as “recorder.js” and “tab-gtm.js”. Stolen data includes card numbers, expiration dates, CVC codes and customer contact and shipping details. The harvested data is sent by HTTP POST to lasorie[.]com.
The skimmer attempts to avoid detection by checking the page DOM for an element named “wpadminbar” and removing itself if that element is present. The “wpadminbar” element is documented in the WordPress documentation.
When Stripe is offered as a payment option the script manipulates the page interface. It creates or checks a localStorage key named “wc_cart_hash” and, if the key is absent, renders a fake Stripe payment form that replaces the legitimate input, causing an apparent payment error and prompting victims to reenter details.
After exfiltration the skimmer removes the fake form, restores the original inputs and sets “wc_cart_hash” to prevent a second capture. The campaign has been linked to hosting infrastructure that was rebranded as part of a sanctions evasion measure. The full extent of affected sites is not publicly known.
WHY IT MATTERS
Compromised checkout pages can expose both payment and personal customer data. The campaign’s persistence since 2022 and its evasion techniques increase the risk that infected sites can steal information without easy detection.