All news with #web skimming tag

🔍 Flare researchers analyzed ~700 underground posts on the "Lucifer DaaS" between Jan 2025 and early 2026 to reveal how modern crypto drainers evolved into professionalized, service-like platforms. The study highlights affiliate-driven distribution, automation, website cloning, Permit2 abuse, and multichain support, showing how DaaS lowers technical barriers and increases resilience. It also lists practical indicators to help users avoid wallet-draining scams.

🛡️ Attackers are embedding AI-generated lookalike domains inside legitimate third-party scripts, transforming typosquatting from a user mistake into a browser-runtime threat that traditional controls miss. Firewalls, WAFs, EDR, and CSPs cannot observe what approved scripts do once executed, enabling silent exfiltration as in the Trust Wallet compromise. Effective detection needs runtime behavioral monitoring that traces script actions, network calls, and deviations from established baselines rather than relying on static vetting.

⚠️A critical vulnerability in the Funnel Builder WordPress plugin (affecting versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Sansec reports attackers are planting fake Google Tag Manager-like scripts in the plugin's External Scripts setting to load payment skimmers. FunnelKit released a patch in v3.15.0.3; site owners should update immediately and inspect checkout scripts.

⚠️ A critical, unauthenticated vulnerability in the Funnel Builder WordPress plugin (versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Attackers modify the plugin’s global settings via an exposed checkout endpoint to add a fake analytics script that opens a WebSocket and delivers a payment card skimmer. The injected skimmer harvests card numbers, CVVs, billing details and other customer data; site owners should update to 3.15.0.3 and inspect External Scripts.

🔍 Sansec researchers uncovered a campaign that embeds a credit-card skimmer into Magento storefronts by hiding it inside a 1×1-pixel SVG element with an onload handler. The handler stores the entire payload as a base64 string decoded via atob() and executed inline to avoid external script detection. When shoppers click checkout a fake Secure Checkout overlay validates card and billing fields in real time and exfiltrates data in XOR-encrypted, base64-obfuscated JSON; Sansec identified six exfiltration domains and published actionable mitigations.

🔒 Cloudflare is making advanced client-side protections self-serve and offering domain-based threat intelligence free across all Client-Side Security customers. The Client-Side Security Advanced bundle brings machine learning and an LLM-backed second opinion to detect malicious JavaScript and drastically reduce false positives. It relies on browser reporting like CSP and requires only that traffic be proxied through Cloudflare, so there is zero latency impact to applications. These tools are intended to help organizations of all sizes detect skimming, supply-chain compromises, and sophisticated browser-side attacks.

🔒 Sansec researchers uncovered a novel payment skimmer that uses WebRTC data channels to load malicious payloads and exfiltrate card data, effectively sidestepping Content Security Policy protections. The skimmer establishes a peer connection to a hard-coded IP (202.181.177[.]177) over UDP port 3479, retrieves JavaScript, and injects it into the checkout page to capture payment details. The campaign was enabled by the PolyShell flaw in Magento, which allows unauthenticated executable uploads. Because WebRTC traffic runs over DTLS-encrypted UDP rather than HTTP, standard HTTP-based monitoring and CSP enforcement may fail to detect or block the theft.

🛡️ This report explains why a Magecart skimmer that hid its payload inside a favicon's EXIF metadata can evade repository-focused scanners. Claude Code Security inspects source code and repo artifacts, so it cannot observe malicious scripts injected through third‑party CDNs, tag managers, or images that only execute in users' browsers. The observed attack used a multi‑stage loader to assemble a URL, parse binary image metadata, and execute the extracted payload at checkout, silently exfiltrating payment data. The piece argues that runtime monitoring and stronger supply‑chain governance are essential complements to static analysis.

🛡️ The AppsFlyer Web SDK was temporarily hijacked to deliver obfuscated JavaScript that intercepts cryptocurrency wallet inputs and replaces them with attacker-controlled addresses, diverting funds. Profero researchers identified the malicious payload being served from websdk.appsflyer.com between March 9 and March 11. AppsFlyer says the mobile SDK was not affected, the incident has been contained, and an investigation with external forensics is ongoing.

🔒 Spanish authorities say they arrested a 20-year-old who allegedly exploited a payment gateway to reserve luxury hotel rooms for a single euro cent. The suspect reportedly manipulated the communication between a booking site and the bank so the reservation appeared fully authorised while only €0.01 was processed. Multiple fraudulent bookings were reported by the travel agency, and one hotel lost over €20,000.

🚨 Threat actors are abusing Pastebin comments to promote a ClickFix-style social engineering campaign that tricks cryptocurrency users into executing JavaScript in their browser, enabling attackers to hijack Bitcoin swap transactions on Swapzone.io. Victims are directed to copy a javascript: snippet from a hosted paste and execute it in the address bar; the injected, obfuscated payload overrides the exchange's swap logic and replaces deposit addresses with attacker-controlled wallets. The code also tampers with displayed rates and offers to simulate successful arbitrage. Because the script runs within the victim's authenticated session, the interface looks legitimate while funds are irreversibly redirected to attackers.

🔎 Security researchers at Fortra’s Intelligence and Research Experts (FIRE) uncovered a Telegram and WhatsApp marketplace called HaxorSEO offering over 1,000 backlinks on pre-compromised, legitimate domains. Operators install webshells and inject backlinks that point to phishing or malware sites, advertising SEO metrics like PA, DA and DR to sell effectiveness. Listings cost as little as $6 each and can help fraudulent pages outrank genuine services. Users are advised to bookmark sensitive login pages and verify domains before entering credentials.

🔒 This article examines how NFC relay attacks built on the open-source NFCGate tool have been adapted by criminals to steal funds via smartphone payments. It describes both the original direct relay—where a victim’s phone reads their card and relays data to a mule—and the newer reverse relay that causes victims to unknowingly emulate an attacker’s card. The author outlines documented campaigns from 2023–2025, malware families involved, and practical precautions to reduce risk.

🔒 Silent Push researchers disclosed a long-running web skimming campaign active since January 2022 that targets customers of major payment networks including American Express, Mastercard, Discover, JCB, Diners Club and UnionPay. The attackers deliver highly obfuscated JavaScript from the domain cdn-cookie[.]com to e-commerce sites and use checks for WordPress’s wpadminbar to self‑destruct when administrators are present. The skimmer renders a fake Stripe payment form, harvests card and personal data, exfiltrates it to lasorie[.]com, then erases traces and sets a localStorage flag to prevent repeat infections, heightening risk for enterprise clients of affected payment providers.

🔒 Silent Push has uncovered a long-running Magecart web‑skimming campaign, active since around 2022, that loads highly obfuscated JavaScript from bulletproof hosting and targets six major card networks including American Express, Mastercard and UnionPay. The skimmer operates client-side, injecting an iframe to display a convincingly styled fake payment form that captures cardholder and shipping details before restoring the original form. Silent Push links parts of the infrastructure to domains hosted by a sanctioned/bulletproof provider and recommends measures such as Content Security Policy, PCI DSS adherence, timely CMS/plugin updates, enforced MFA and incognito-mode testing to detect stealthy injections.

🛡️ Web security in 2025 shifted rapidly as AI-enabled development and adversaries outpaced traditional controls. Natural-language "vibe coding" and compromised AI dev tools produced functional code with exploitable flaws, highlighted by the Base44 authentication bypass and multiple CVEs affecting popular assistants. At the same time, industrial-scale JavaScript injections, advanced Magecart e-skimming, and widespread privacy drift impacted hundreds of thousands of sites and thousands of financial sessions. Defenders moved toward security-first prompting, behavioral monitoring, continuous validation, and AI-aware controls to reduce exposure.

🛡️ A malicious Chrome extension named Crypto Copilot was found injecting covert Solana transfers into Raydium swap transactions, diverting funds to an attacker-controlled wallet. Published by "sjclark76" on May 7, 2024, the add-on remains available on the Chrome Web Store with 12 installs. The extension appends a hidden SystemProgram.transfer to each swap before signature, charging a minimum of 0.0013 SOL (and applying a 2.6 SOL/0.05% rule) while obfuscating its code to evade detection. It also contacts backend domains to register wallets and report activity, giving a false veneer of legitimacy.

🔐 In episode 440 Graham Cluley and guest Scott Helme examine an unusual insider exploitation where Romanian prison self‑service web kiosks let inmates access and alter records. They also explore the growing threat of third‑party JavaScript on checkout pages and how the updated PCI DSS aims to curb Magecart‑style skimmers. Plus, the hosts cover automation with Keyboard Maestro and video creation using Screen Studio.

🔍 Hidden blocks of links embedded on corporate websites can quietly erode search rankings and damage reputation by pointing to dubious domains such as pornography or gambling. Invisible to users but parsed by search engines and security tools, these links divert link equity and often trigger algorithmic penalties. Attackers inject them via compromised admin credentials, vulnerable CMS components, infected templates, or breached hosting. Regular updates, strict access controls, routine audits, backups, and mandatory 2FA help prevent and limit impact.

🪙 Google Threat Intelligence Group links a financially motivated actor, UNC5142, to widespread compromises of WordPress sites that leverage EtherHiding and on-chain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys and Vidar. The campaign injects a multi-stage JavaScript downloader (CLEARSHORT) into plugins, themes and databases to query malicious BNB Smart Chain contracts, which return encrypted landing pages that use ClickFix social engineering to trick Windows and macOS users into executing stealer payloads. Google flagged roughly 14,000 infected pages through June 2025, and observed a move to a three-contract proxy-like architecture since November 2024 that improves agility and resistance to takedown.