Card thieves are increasingly skipping the fake phishing page and going straight for the real thing, planting hidden skimmers inside legitimate online stores so they can steal shoppers' card details during genuine purchases. Researchers at CloudSEK have pulled apart one such skimmer recovered from a compromised WooCommerce store, and the takeaway for shoppers is uncomfortable: the checkout looked completely normal while every keystroke was being captured.
The shift, documented by CloudSEK researcher Shobhit Mishra after the firm's human-intelligence work with operators on carding marketplaces, moves attackers away from lookalike bank logins and reward-claim lures toward direct compromise of trusted e-commerce sites. Instead of luring a victim to a bogus site, the attacker brings the theft to a real store with a valid certificate and a familiar brand, the model long associated with Magecart-style groups. CloudSEK did not attribute this particular sample to a specific named crew.
How the attack works
The skimmer is a piece of heavily obfuscated JavaScript that targets stores running WooCommerce Payments, which uses Stripe. Because the genuine Stripe card fields live inside a protected, cross-origin iframe the attacker cannot read, the skimmer instead builds its own look-alike payment form and lays it over the real one. Those first-party fields are fully readable by the attacker's code. The fake form even re-implements the same checks a real checkout runs, card brand detection, the Luhn checksum that flags an invalid number, and expiry validation, so the victim sees friendly inline errors and correct formatting and never suspects a thing.
Crucially, the legitimate payment still completes. The order goes through, the customer gets their goods, and neither shopper nor merchant notices anything wrong, which is why these skimmers can run undetected for months. Once a card passes the fake form's validation, the script grabs the customer email too and bundles it with the card number, expiry, and CVV before encoding the package and sending it to an attacker-controlled endpoint.
What to watch for
CloudSEK's analysis flags several behavioural indicators merchants can hunt for. The injected card, expiry, and security fields carry IDs ending in _sb, sitting alongside the genuine wcpay-payment-element markup. The script also works to stay quiet: it stashes data in browser localStorage under keys dressed up to look like marketing pixels (an fbpixel_-style prefix), deduplicates victims to keep outbound traffic sparse, and sets a Google Analytics opt-out flag (ga-disable-G-3SDSS99J4N) to suppress the merchant's own analytics around the rogue element. Any outbound request from the checkout page to a domain that is not the payment processor or the store's own analytics, especially one carrying long encoded strings, is a red flag.
What merchants and shoppers should do
The backdoor that delivers the skimmer usually arrives through an outdated plugin or theme, stolen admin credentials, or a known CMS flaw, so merchants should patch promptly, remove unused extensions, monitor checkout pages for unexpected script changes, and apply a Content Security Policy that limits where scripts can load from and send data to. Removing only the front-end script while leaving the web shell in place guarantees reinfection, so a full clean-up and credential reset is essential. Shoppers can lower their exposure by preferring tokenised wallets such as Apple Pay, Google Pay, or PayPal, using single-use virtual card numbers where their bank offers them, and turning on transaction alerts. Be wary if a checkout suddenly asks you to re-type full card details in a second form.
Full technical detail, indicators, and detection guidance are in the original CloudSEK report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.