Security Tips

Card Skimming and Magecart on WordPress: How Attackers Steal Payment Data at Checkout

Card skimming injects invisible code into your checkout to steal customer payment details. Learn how Magecart-style attacks hit WooCommerce and how to stop them.

WPSentry TeamJuly 16, 20263 min read
Table of Contents 6 sections

What Is Web Card Skimming?

Web card skimming, widely known as a Magecart attack, is the digital version of a physical card skimmer on an ATM. Instead of tampering with a machine, the attacker injects malicious JavaScript into your online checkout. As a customer types their card number, expiry date, and security code, the hidden code copies each keystroke and sends it to a server the attacker controls. The real payment still completes, the order still ships, and nobody notices anything is wrong.

Why WordPress Stores Are a Target

WooCommerce is the most popular way to sell online with WordPress, which makes WordPress stores a large and attractive target. Any store that collects card details in the browser can be skimmed. Even stores that use a payment gateway can be vulnerable if a compromised script can read the checkout form before the data is tokenized.

How a Skimming Attack Unfolds

  1. Initial compromise. The attacker exploits a vulnerable plugin, theme, or WordPress core, or logs in with stolen admin credentials.
  2. Injection. They insert skimming JavaScript into a theme file, a plugin, the database, or a third-party script the checkout already loads.
  3. Harvesting. On the checkout page, the code listens to the card fields and captures the data as the customer types.
  4. Exfiltration. The stolen details are sent to an attacker-controlled server, often disguised as a normal analytics or image request.
  5. Persistence. A backdoor is planted so the attacker can re-inject the skimmer if it is removed.

The supply-chain angle

Skimmers do not always live on your server. Attackers also compromise a third-party script your checkout loads, such as a chat widget or analytics library, so the skimming code arrives from a trusted external source. This is why controlling which scripts can run matters.

How to Detect a Skimmer

  • Watch for unexpected changes to checkout files and scripts through file integrity monitoring.
  • Review the scripts your checkout loads and question any domain you do not recognize.
  • Look for outbound requests from the checkout page to unfamiliar servers.
  • Investigate customer reports of card fraud that trace back to purchases on your store.

How to Protect Your Checkout

  1. Use hosted or tokenized payment fields. When card data is entered in a payment provider's iframe, it never touches your page, so a skimmer has nothing to read.
  2. Keep everything updated. Most store compromises begin with a known plugin or theme vulnerability.
  3. Apply a Content-Security-Policy. Restrict which scripts can run and where data can be sent, which blocks unauthorized exfiltration.
  4. Audit third-party scripts. Remove any script you do not need, and use integrity checks where possible.
  5. Monitor file integrity so injected code is flagged immediately.
  6. Enforce strong admin security with unique passwords and two-factor authentication.

How to Check Your Store

Our WordPress Security Scanner checks for missing Content-Security-Policy headers, outdated WooCommerce and plugin versions with known flaws, and blocklist status. Run a free scan to confirm your checkout is not quietly leaking your customers' payment data.

FAQ

Frequently Asked Questions

Web card skimming, often called a Magecart attack, is when an attacker injects malicious JavaScript into an online store's checkout page. The code silently copies the customer's card number, expiry, and security code as they type, and sends it to the attacker while the real payment still goes through.

Yes. Any WordPress store that collects card details in the browser is a target, and WooCommerce is the most popular WordPress store platform. Attackers compromise the site through a vulnerable plugin or theme, then inject skimming code into the checkout.

The skimmer is designed to be invisible. The checkout still works, the order completes, and the customer receives their product, so nothing looks wrong. The stolen data is exfiltrated quietly in the background, sometimes only from a fraction of visitors to avoid attention.

Attackers exploit a vulnerability in an outdated plugin, theme, or WordPress core, or use stolen admin credentials. They then inject the JavaScript directly into files, the database, or a compromised third-party script that your checkout already loads.

Use a hosted or tokenized payment field so card data never touches your server, keep everything updated, monitor file and script integrity, apply a Content-Security-Policy that limits which scripts can run, audit third-party scripts, and scan regularly for injected code.

Tags

Related Posts