Fake Stripe Checkout Pages Used as a Trap

According to researchers, the attackers inject malicious JavaScript directly into legitimate checkout pages, where it generates a counterfeit payment form designed to look identical to Stripe’s official interface. Unsuspecting shoppers enter their card details into the fake form, allowing the skimmer to intercept and steal the information before it ever reaches the real payment processor.

The malicious script is hosted on attacker-controlled infrastructure such as cdn-cookie[.]com and employs multiple layers of obfuscation to evade detection. Techniques include string concatenation, base64 encoding, and XOR encryption using a hardcoded key (“777”), making the skimmer difficult to spot during routine inspections.

Targeted Attack on WooCommerce and Stripe

The campaign is highly tailored to WooCommerce stores running Stripe. Once active, the skimmer injects a malicious iframe that replaces the legitimate payment form. The fake interface supports automatic card brand detection and displays appropriate logos and formatting for supported cards, further increasing its credibility.

Supported brands include Mastercard, American Express, JCB, Diners Club, Discover, and UnionPay—mirroring the appearance and behavior of a genuine Stripe checkout experience.

Data Exfiltration and Deception

After a victim submits their payment details, the stolen data is exfiltrated to Lasorie[.]com/api/add. The skimmer then removes itself and restores the legitimate checkout form. In many cases, this process triggers a payment error, prompting users to re-enter their information—potentially exposing them multiple times without realizing it.

Researchers note that improper implementation of the malicious code occasionally results in visible bugs on infected websites, which can be one of the few outward signs of compromise.

Advanced Evasion Tactics

The attackers demonstrate deep knowledge of WordPress and WooCommerce internals. They exploit the wp_enqueue_scripts functionality to load malicious code in a way that blends in with legitimate assets. To avoid detection, the skimmer checks for the presence of the WordPress Admin Bar and disables itself when administrative users are logged in, making it harder for site owners to notice the compromise.

The campaign has affected numerous e-commerce stores across different countries and hosting providers, putting online shoppers, merchants, and payment providers at risk.

Recommendations for Website Administrators

Security experts urge e-commerce operators to take immediate defensive measures, including:

• Implementing strict Content Security Policies (CSP) to limit external JavaScript sources
• Maintaining PCI DSS compliance
• Regularly updating WordPress, WooCommerce, and all plugins
• Enforcing strong access controls and multi-factor authentication
• Periodically testing checkout pages from non-administrative user accounts

As Magecart campaigns continue to evolve in sophistication, researchers warn that proactive security monitoring and layered defenses are essential to protecting online payment ecosystems.