This web skimming campaign, active since early 2022, represents a sophisticated client-side attack targeting online checkout pages of e-commerce sites that use major payment networks such as American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay. The attackers inject highly obfuscated JavaScript payloads hosted on suspicious domains linked to bulletproof hosting providers that employ sanctions evasion techniques. The malicious scripts, named "recorder.js" or "tab-gtm.js," are loaded by compromised web shops and are designed to harvest credit card details, including card numbers, expiration dates, and CVC codes, as well as personal data like names, phone numbers, emails, and shipping addresses. The skimmer specifically targets Stripe payment forms by detecting their presence and then replacing the legitimate form with a fake one to trick users into entering sensitive information. It uses localStorage flags ("wc_cart_hash") to avoid re-skimming the same victim and performs DOM checks for WordPress-specific elements like "wpadminbar" to evade detection by administrators, self-destructing if such elements are found. The stolen data is exfiltrated via HTTP POST requests to attacker-controlled servers such as "lasorie[.]com." After data exfiltration, the skimmer removes itself and restores the original payment form to avoid raising suspicion. The campaign demonstrates advanced attacker knowledge of WordPress internals and client-side scripting techniques, making detection and mitigation challenging. The threat is particularly relevant to enterprise organizations that are clients of the targeted payment providers and operate e-commerce platforms, especially those built on WordPress and using Stripe for payments. The attackers’ use of bulletproof hosting and domain rebranding indicates a persistent and evasive threat actor.

European organizations operating e-commerce platforms that integrate with the targeted payment networks and use WordPress and Stripe are at risk of significant financial and reputational damage. The theft of credit card data can lead to fraudulent transactions, chargebacks, and regulatory penalties under GDPR due to the exposure of personal data. The campaign’s stealth and evasion techniques increase the likelihood of prolonged undetected data exfiltration, amplifying the breach impact. Enterprises may face customer trust erosion, increased fraud mitigation costs, and potential legal consequences. The targeting of major payment networks means that a wide range of industries, including retail, travel, and services, could be affected. Additionally, the use of bulletproof hosting and sanctions evasion tactics complicates takedown efforts and attribution, prolonging the threat lifecycle. The campaign’s focus on client-side attacks also challenges traditional perimeter defenses, requiring enhanced front-end security measures. Overall, the threat poses a medium to high risk to European organizations due to the sensitive nature of stolen data and the sophistication of the attack.

1. Implement Content Security Policy (CSP) headers to restrict the loading of unauthorized scripts and domains, particularly blocking suspicious domains like "cdn-cookie[.]com" and "lasorie[.]com." 2. Conduct regular integrity checks and monitoring of client-side JavaScript on checkout pages to detect unauthorized modifications or injected scripts. 3. Employ runtime application self-protection (RASP) or client-side script monitoring tools to detect and block malicious script execution in real time. 4. Harden WordPress installations by limiting plugin use, enforcing least privilege for admin accounts, and monitoring for the presence of admin toolbars or unusual DOM changes. 5. Use multi-factor authentication and strict access controls for administrative accounts to reduce the risk of site compromise. 6. Monitor localStorage and sessionStorage for suspicious flags or anomalies that could indicate skimmer activity. 7. Regularly audit third-party scripts and dependencies, ensuring they come from trusted sources and are not tampered with. 8. Educate users and administrators about the signs of web skimming attacks, including unexpected payment errors or UI anomalies. 9. Collaborate with payment providers to implement additional fraud detection and transaction monitoring. 10. Establish incident response plans that include rapid identification and removal of injected scripts and communication with affected customers.