All news with #web skimming tag

🔍 Sansec researchers uncovered a campaign that embeds a credit-card skimmer into Magento storefronts by hiding it inside a 1×1-pixel SVG element with an onload handler. The handler stores the entire payload as a base64 string decoded via atob() and executed inline to avoid external script detection. When shoppers click checkout a fake Secure Checkout overlay validates card and billing fields in real time and exfiltrates data in XOR-encrypted, base64-obfuscated JSON; Sansec identified six exfiltration domains and published actionable mitigations.

🔒 Cloudflare is making advanced client-side protections self-serve and offering domain-based threat intelligence free across all Client-Side Security customers. The Client-Side Security Advanced bundle brings machine learning and an LLM-backed second opinion to detect malicious JavaScript and drastically reduce false positives. It relies on browser reporting like CSP and requires only that traffic be proxied through Cloudflare, so there is zero latency impact to applications. These tools are intended to help organizations of all sizes detect skimming, supply-chain compromises, and sophisticated browser-side attacks.

🔒 Sansec researchers uncovered a novel payment skimmer that uses WebRTC data channels to load malicious payloads and exfiltrate card data, effectively sidestepping Content Security Policy protections. The skimmer establishes a peer connection to a hard-coded IP (202.181.177[.]177) over UDP port 3479, retrieves JavaScript, and injects it into the checkout page to capture payment details. The campaign was enabled by the PolyShell flaw in Magento, which allows unauthenticated executable uploads. Because WebRTC traffic runs over DTLS-encrypted UDP rather than HTTP, standard HTTP-based monitoring and CSP enforcement may fail to detect or block the theft.

🛡️ This report explains why a Magecart skimmer that hid its payload inside a favicon's EXIF metadata can evade repository-focused scanners. Claude Code Security inspects source code and repo artifacts, so it cannot observe malicious scripts injected through third‑party CDNs, tag managers, or images that only execute in users' browsers. The observed attack used a multi‑stage loader to assemble a URL, parse binary image metadata, and execute the extracted payload at checkout, silently exfiltrating payment data. The piece argues that runtime monitoring and stronger supply‑chain governance are essential complements to static analysis.

🛡️ The AppsFlyer Web SDK was temporarily hijacked to deliver obfuscated JavaScript that intercepts cryptocurrency wallet inputs and replaces them with attacker-controlled addresses, diverting funds. Profero researchers identified the malicious payload being served from websdk.appsflyer.com between March 9 and March 11. AppsFlyer says the mobile SDK was not affected, the incident has been contained, and an investigation with external forensics is ongoing.

🔒 Spanish authorities say they arrested a 20-year-old who allegedly exploited a payment gateway to reserve luxury hotel rooms for a single euro cent. The suspect reportedly manipulated the communication between a booking site and the bank so the reservation appeared fully authorised while only €0.01 was processed. Multiple fraudulent bookings were reported by the travel agency, and one hotel lost over €20,000.

🚨 Threat actors are abusing Pastebin comments to promote a ClickFix-style social engineering campaign that tricks cryptocurrency users into executing JavaScript in their browser, enabling attackers to hijack Bitcoin swap transactions on Swapzone.io. Victims are directed to copy a javascript: snippet from a hosted paste and execute it in the address bar; the injected, obfuscated payload overrides the exchange's swap logic and replaces deposit addresses with attacker-controlled wallets. The code also tampers with displayed rates and offers to simulate successful arbitrage. Because the script runs within the victim's authenticated session, the interface looks legitimate while funds are irreversibly redirected to attackers.

🔎 Security researchers at Fortra’s Intelligence and Research Experts (FIRE) uncovered a Telegram and WhatsApp marketplace called HaxorSEO offering over 1,000 backlinks on pre-compromised, legitimate domains. Operators install webshells and inject backlinks that point to phishing or malware sites, advertising SEO metrics like PA, DA and DR to sell effectiveness. Listings cost as little as $6 each and can help fraudulent pages outrank genuine services. Users are advised to bookmark sensitive login pages and verify domains before entering credentials.

🔒 This article examines how NFC relay attacks built on the open-source NFCGate tool have been adapted by criminals to steal funds via smartphone payments. It describes both the original direct relay—where a victim’s phone reads their card and relays data to a mule—and the newer reverse relay that causes victims to unknowingly emulate an attacker’s card. The author outlines documented campaigns from 2023–2025, malware families involved, and practical precautions to reduce risk.

🔒 Silent Push researchers disclosed a long-running web skimming campaign active since January 2022 that targets customers of major payment networks including American Express, Mastercard, Discover, JCB, Diners Club and UnionPay. The attackers deliver highly obfuscated JavaScript from the domain cdn-cookie[.]com to e-commerce sites and use checks for WordPress’s wpadminbar to self‑destruct when administrators are present. The skimmer renders a fake Stripe payment form, harvests card and personal data, exfiltrates it to lasorie[.]com, then erases traces and sets a localStorage flag to prevent repeat infections, heightening risk for enterprise clients of affected payment providers.

🔒 Silent Push has uncovered a long-running Magecart web‑skimming campaign, active since around 2022, that loads highly obfuscated JavaScript from bulletproof hosting and targets six major card networks including American Express, Mastercard and UnionPay. The skimmer operates client-side, injecting an iframe to display a convincingly styled fake payment form that captures cardholder and shipping details before restoring the original form. Silent Push links parts of the infrastructure to domains hosted by a sanctioned/bulletproof provider and recommends measures such as Content Security Policy, PCI DSS adherence, timely CMS/plugin updates, enforced MFA and incognito-mode testing to detect stealthy injections.

🛡️ Web security in 2025 shifted rapidly as AI-enabled development and adversaries outpaced traditional controls. Natural-language "vibe coding" and compromised AI dev tools produced functional code with exploitable flaws, highlighted by the Base44 authentication bypass and multiple CVEs affecting popular assistants. At the same time, industrial-scale JavaScript injections, advanced Magecart e-skimming, and widespread privacy drift impacted hundreds of thousands of sites and thousands of financial sessions. Defenders moved toward security-first prompting, behavioral monitoring, continuous validation, and AI-aware controls to reduce exposure.

🛡️ A malicious Chrome extension named Crypto Copilot was found injecting covert Solana transfers into Raydium swap transactions, diverting funds to an attacker-controlled wallet. Published by "sjclark76" on May 7, 2024, the add-on remains available on the Chrome Web Store with 12 installs. The extension appends a hidden SystemProgram.transfer to each swap before signature, charging a minimum of 0.0013 SOL (and applying a 2.6 SOL/0.05% rule) while obfuscating its code to evade detection. It also contacts backend domains to register wallets and report activity, giving a false veneer of legitimacy.

🔐 In episode 440 Graham Cluley and guest Scott Helme examine an unusual insider exploitation where Romanian prison self‑service web kiosks let inmates access and alter records. They also explore the growing threat of third‑party JavaScript on checkout pages and how the updated PCI DSS aims to curb Magecart‑style skimmers. Plus, the hosts cover automation with Keyboard Maestro and video creation using Screen Studio.

🔍 Hidden blocks of links embedded on corporate websites can quietly erode search rankings and damage reputation by pointing to dubious domains such as pornography or gambling. Invisible to users but parsed by search engines and security tools, these links divert link equity and often trigger algorithmic penalties. Attackers inject them via compromised admin credentials, vulnerable CMS components, infected templates, or breached hosting. Regular updates, strict access controls, routine audits, backups, and mandatory 2FA help prevent and limit impact.

🪙 Google Threat Intelligence Group links a financially motivated actor, UNC5142, to widespread compromises of WordPress sites that leverage EtherHiding and on-chain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys and Vidar. The campaign injects a multi-stage JavaScript downloader (CLEARSHORT) into plugins, themes and databases to query malicious BNB Smart Chain contracts, which return encrypted landing pages that use ClickFix social engineering to trick Windows and macOS users into executing stealer payloads. Google flagged roughly 14,000 infected pages through June 2025, and observed a move to a three-contract proxy-like architecture since November 2024 that improves agility and resistance to takedown.

🔐 Since late 2023, Mandiant and the Google Threat Intelligence Group tracked UNC5142, a financially motivated cluster that compromises vulnerable WordPress sites to distribute information stealers. The actor's CLEARSHORT JavaScript loader uses Web3 to query smart contracts on the BNB Smart Chain that store ABIs, encrypted landing pages, AES keys, and payload pointers. By employing a three-contract Router-Logic-Storage design and abusing legitimate hosting (Cloudflare Pages, GitHub, MediaFire), operators can rotate lures and update payload references on-chain without changing injected scripts, enabling resilient, low-cost campaigns that GTIG found on ~14,000 injected pages by June 2025 and which showed no on-chain updates after July 23, 2025.

⚠️ The article warns that unmonitored JavaScript on e-commerce sites is the single biggest holiday security risk, enabling attackers to steal payment data while server-side defenses like WAFs and intrusion detection systems remain blind. It reviews major 2024 incidents, including the Polyfill.io and Cisco Magecart campaigns, and highlights a dramatic uptick in attacks during peak shopping windows. Recommended mitigations emphasize closing visibility gaps with real-time client-side monitoring, maintaining strict third-party script inventories, and deploying Content Security Policy (initially in report-only mode) using nonces rather than weakening directives.

🔒Payment iframes are no longer a guaranteed sandbox: attackers have adopted pixel-perfect overlays and other injection techniques to steal card data from checkout pages. The article dissects the August 2024 Stripe skimmer campaign that compromised dozens of merchants and used a deprecated API to validate stolen cards in real time. It explains why legacy controls like X-Frame-Options and basic CSP fail when the host page is compromised and outlines a practical six-step defense combining strict CSP, real-time DOM monitoring, secure postMessage handling, and tooling changes required by PCI DSS 4.0.1.

🔒 A rapid open source response contained a supply-chain compromise after maintainer Josh Junon (known as 'qix') reported his npm account was hijacked on September 8. Malicious versions of widely used packages including chalk, strip-ansi and color-convert were published embedding an crypto-clipper that swaps wallet addresses and hijacks transactions. The community and npm removed tainted releases within hours, limiting financial impact and exposure.