Ethical Hacking News
A long-running web skimming campaign has been discovered by Threat Hunters at Silent Push, targeting major payment networks and exposing a sophisticated attack chain that has evaded detection for nearly four years. This cunning scheme has stolen credit card information from online checkout pages, leaving businesses vulnerable to devastating data breaches. Learn more about the attack and how you can protect your organization from similar threats.
Threat hunters at Silent Push have exposed a long-running web skimming campaign targeting prominent payment networks since January 2022. Enterprise organizations relying on targeted payment providers are particularly vulnerable to this attack. The web skimming campaign uses a malicious domain and obfuscated JavaScript payloads, including "recorder.js" or "tab-gtm.js", to facilitate credit card skimming. The skimmer features include self-destruct sequences, detection of WordPress login elements, and manipulation of Stripe payment forms to steal sensitive information. The attackers exfiltrate stolen data through HTTP POST requests to the server "lasorie[.]com" and erase traces of themselves from the checkout page. Businesses must prioritize their cybersecurity posture, implement robust security protocols, and invest in threat intelligence tools to detect and prevent web skimming campaigns.
Threat hunters at Silent Push have made a groundbreaking discovery, exposing a long-running web skimming campaign that has been quietly siphoning credit card information from online checkout pages since January 2022. This cunning scheme, which has evaded detection for nearly four years, has targeted some of the world's most prominent payment networks, including American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay.
According to Silent Push, enterprise organizations that rely on these payment providers are particularly vulnerable to this attack. The researchers stress that digital skimming attacks, which involve compromising legitimate e-commerce sites and payment portals to harvest sensitive information, pose a significant threat to businesses of all sizes.
The web skimming campaign in question is classified under the umbrella term Magecart, which initially referred to a coalition of cybercriminal groups targeting e-commerce sites using the Magento software. Over time, however, the group has diversified its attacks to other products and platforms.
Silent Push's researchers analyzed a suspicious domain linked to a now-sanctioned bulletproof hosting provider called Stark Industries (and its parent company PQ.Hosting), which has since rebranded to THE[.]Hosting, under the control of the Dutch entity WorkTitans B.V. The team discovered that this domain hosts highly obfuscated JavaScript payloads, including "recorder.js" or "tab-gtm.js," which are loaded by web shops to facilitate credit card skimming.
The skimmer boasts an impressive array of features designed to evade detection by site administrators. One notable feature allows the skimmer to initiate a self-destruct sequence and remove its presence from the web page if it detects the presence of the WordPress "wpadminbar" element, which is commonly used in WordPress websites when logged-in administrators or users with appropriate permissions are viewing the site.
Furthermore, the skimmer checks to see if Stripe was selected as a payment option. If so, it creates and sets an element called "wc_cart_hash" in the browser's localStorage to indicate that the victim has already been successfully skimmed. This absence of the flag causes the skimmer to render a fake Stripe payment form that replaces the legitimate form through user interface manipulations.
The fake form is designed to trick victims into entering their credit card numbers, along with expiration dates and Card Verification Code (CVC) numbers. Once the victim enters their information, the payment page displays an error message, making it appear as if the victim had simply entered their payment details incorrectly. The stolen data extends beyond payment details, including names, phone numbers, email addresses, and shipping addresses.
The information is eventually exfiltrated by means of an HTTP POST request to the server "lasorie[.]com." Once the data transmission is complete, the skimmer erases traces of itself from the checkout page, removing the fake payment form that was created and restoring the legitimate Stripe input form. It then sets "wc_cart_hash" to "true" to prevent the skimmer from being run a second time on the same victim.
The attackers' advanced knowledge of WordPress's inner workings is evident in their attack chain, which integrates even lesser-known features into their scheme.
This disturbing revelation highlights the importance of vigilance and proactive measures when it comes to protecting sensitive information. Businesses must remain vigilant and take steps to safeguard against these types of attacks, including implementing robust security protocols, regular updates, and employee training programs.
In light of this discovery, it is essential for organizations to prioritize their cybersecurity posture and invest in cutting-edge threat intelligence tools that can help detect and prevent such web skimming campaigns. By staying informed and taking proactive measures, businesses can minimize the risk of falling victim to these malicious attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Nation-of-Vulnerabilities-The-Silent-Skimming-Campaign-Exposed-ehn.shtml
https://thehackernews.com/2026/01/long-running-web-skimming-campaign.html
https://hackread.com/hackers-exploit-stripe-api-web-skimming-card-theft/
https://thehackernews.com/2025/04/legacy-stripe-api-exploited-to-validate.html
https://www.csoonline.com/article/567335/what-is-magecart-how-this-hacker-group-steals-payment-card-data.html
https://www.reflectiz.com/blog/magecart-hacking-groups-how-they-are-expanding-their-limits-beyond-the-regular-e-commerce-websites/
https://scamalytics.com/ip/isp/worktitans-b-v
https://www.abuseipdb.com/check/2.56.172.186
Published: Tue Jan 13 13:42:50 2026 by llama3.2 3B Q4_K_M
