Table of Contents 6 sections
What Is Web Card Skimming?
Web card skimming, widely known as a Magecart attack, is the digital version of a physical card skimmer on an ATM. Instead of tampering with a machine, the attacker injects malicious JavaScript into your online checkout. As a customer types their card number, expiry date, and security code, the hidden code copies each keystroke and sends it to a server the attacker controls. The real payment still completes, the order still ships, and nobody notices anything is wrong.
Why WordPress Stores Are a Target
WooCommerce is the most popular way to sell online with WordPress, which makes WordPress stores a large and attractive target. Any store that collects card details in the browser can be skimmed. Even stores that use a payment gateway can be vulnerable if a compromised script can read the checkout form before the data is tokenized.
How a Skimming Attack Unfolds
- Initial compromise. The attacker exploits a vulnerable plugin, theme, or WordPress core, or logs in with stolen admin credentials.
- Injection. They insert skimming JavaScript into a theme file, a plugin, the database, or a third-party script the checkout already loads.
- Harvesting. On the checkout page, the code listens to the card fields and captures the data as the customer types.
- Exfiltration. The stolen details are sent to an attacker-controlled server, often disguised as a normal analytics or image request.
- Persistence. A backdoor is planted so the attacker can re-inject the skimmer if it is removed.
The supply-chain angle
Skimmers do not always live on your server. Attackers also compromise a third-party script your checkout loads, such as a chat widget or analytics library, so the skimming code arrives from a trusted external source. This is why controlling which scripts can run matters.
How to Detect a Skimmer
- Watch for unexpected changes to checkout files and scripts through file integrity monitoring.
- Review the scripts your checkout loads and question any domain you do not recognize.
- Look for outbound requests from the checkout page to unfamiliar servers.
- Investigate customer reports of card fraud that trace back to purchases on your store.
How to Protect Your Checkout
- Use hosted or tokenized payment fields. When card data is entered in a payment provider's iframe, it never touches your page, so a skimmer has nothing to read.
- Keep everything updated. Most store compromises begin with a known plugin or theme vulnerability.
- Apply a Content-Security-Policy. Restrict which scripts can run and where data can be sent, which blocks unauthorized exfiltration.
- Audit third-party scripts. Remove any script you do not need, and use integrity checks where possible.
- Monitor file integrity so injected code is flagged immediately.
- Enforce strong admin security with unique passwords and two-factor authentication.
How to Check Your Store
Our WordPress Security Scanner checks for missing Content-Security-Policy headers, outdated WooCommerce and plugin versions with known flaws, and blocklist status. Run a free scan to confirm your checkout is not quietly leaking your customers' payment data.
FAQ
Frequently Asked Questions
Web card skimming, often called a Magecart attack, is when an attacker injects malicious JavaScript into an online store's checkout page. The code silently copies the customer's card number, expiry, and security code as they type, and sends it to the attacker while the real payment still goes through.
Yes. Any WordPress store that collects card details in the browser is a target, and WooCommerce is the most popular WordPress store platform. Attackers compromise the site through a vulnerable plugin or theme, then inject skimming code into the checkout.
The skimmer is designed to be invisible. The checkout still works, the order completes, and the customer receives their product, so nothing looks wrong. The stolen data is exfiltrated quietly in the background, sometimes only from a fraction of visitors to avoid attention.
Attackers exploit a vulnerability in an outdated plugin, theme, or WordPress core, or use stolen admin credentials. They then inject the JavaScript directly into files, the database, or a compromised third-party script that your checkout already loads.
Use a hosted or tokenized payment field so card data never touches your server, keep everything updated, monitor file and script integrity, apply a Content-Security-Policy that limits which scripts can run, audit third-party scripts, and scan regularly for injected code.
Tags
Related Posts
Zero-Day Plugin Exploits on WordPress: Attacks Before a Patch Exists
A zero-day plugin exploit attacks a flaw before the developer has a fix. Learn what makes them dangerous and how to reduce your exposure to the unknown.
Cryptojacking on WordPress: When Hackers Mine Cryptocurrency With Your Resources
Cryptojacking hijacks your server or your visitors' browsers to mine cryptocurrency. Learn how to spot the signs, clean the infection, and prevent it.
SEO Spam and Pharma Hacks: The Hidden Injection Draining Your WordPress Rankings
SEO spam injections hide thousands of spam pages and links inside your WordPress site to boost someone else's rankings. Learn how to find and remove them.